The topic of data protection is governed by the EU General Data Protection Regulation (GDPR).
Since I take privacy very seriously, a use of my online offer is basically possible without personal data. However, a processing of personal data may be required if certain services of my online offer are used on a voluntary basis.
What data is collected in what context and to what extent, how and for what purpose it is processed and how long it is stored, what I do to protect personal data and whom to contact if you have any questions, I describe in this privacy statement. In addition, I inform affected persons about their rights.
The most important recurring terms are explained at the end of this Data Privacy Statement. Other terms are explained at the appropriate location.
Table of contents
The responsible person within the means of the EU General Data Protection Regulation (GDPR) is:
Jan Maria Dondeyne
Basically, data can be assigned to one or more of the following groups:
- Inventory data (e.g. names and addresses)
- Contact information (e.g. e-mail addresses, telephone and fax numbers)
- Content data (e.g. text input, photos and videos)
- Usage data (e.g. access times, visited websites, and interest in content)
- Meta / traffic data (e.g. device / browser information, IP addresses and referring websites (so-called referers))
Personal data is all information that relates to an identified or allows to identify a natural person (hereinafter the "affected person"). This includes, for example, information such as name, address, e-mail address, telephone number and date of birth. However, IP addresses, location data or other aggregated user data (user behavior) in conjunction or combined with other personal characteristics as expression of a physical, physiological, genetic, mental, economic, cultural or social identity may also identify an affected person.
No personal data, on the other hand, is all information that does not allow to make any connection to the person affected (or would allow this only with disproportionate effort). This can e.g. also be achieved by anonymization and the separate processing and storage of different data.
The processing of personal data always requires a legal basis or consent of the affected person. If the processing of personal data is required and there is no legal basis for it, I generally seek the consent of the affected person.
Processed personal data will be deleted as soon as the purpose of the processing has been achieved and no legally required retention requirements have to be maintained. If this is the case, processing is restricted.
If I process personal data for the provision of certain offers, I inform about the specific processes, the scope and purpose of the data processing, as well as the legal basis for the processing and the respective retention period below:
The hosting services I use (see Commissioned processing) are used for the purpose of operating this online service and are used, among other things, to provide infrastructure services, computing and storage capacity, e-mailing and technical security as well as maintenance services.
When visiting my online offer, I or my hosting provider processes usage data as well as meta / traffic data from visitors (see Access data and log files) and the e-mail dispatch and receipt includes the processing of inventory data, contact data, content data, usage data and meta / traffic data. This is done on the basis of my legitimate interests in an efficient and secure provision in accordance with. Art. 6 par. 1 lit. f GDPR in conjunction with Art. 28 GDPR.
I would like to point out that the transmission of data on the Internet (for example, when communicating via e-mail) generally involves security gaps, so that absolute protection can not be guaranteed. Therefore, every person concerned is free to send personal data to me by alternative means, for example by telephone or mail.
NOTE: At the moment I completely renounce the storage of logfiles!
With each call to my online service by an affected person or an automated system the service provider collects a series of general data and information on the basis of legitimate interests within the meaning of Art. 6 par. 1 lit. f GDPR. These are stored in the so-called "log files" of the server.
The names of the accessed pages, subpages and files, the date and time of the access, the type of browser of the user and its version as well as his operating system, a so-called referer URL (from which website a user has accessed my online offer), the IP address and the Internet service provider of the requesting system, as well as other similar data that serve the security can be recorded.
Since IP addresses can allow conclusions to be drawn to affected persons, these are automatically anonymized by the service provider prior to storage. Thus, the general data and information do not allow any direct conclusions about an affected person and are not merged with other data sources for this purpose.
Logfile information is stored for security reasons (for example, for misuse or security) for a maximum of 7 days and then deleted. If further evidence retention is required, it will be removed from the erasure until the incident is resolved.
When contacting me (for example by contact form, e-mail or telephone), personal details are processed and stored. Such personal data transmitted to me by an affected person on a voluntary basis will be processed and saved for the purpose of establishing contact with the affected person and for subsequent questions according to Art. 6 par. 1 lit. b. (in the context of contractual / pre-contractual relationships) and in accordance with Art. 6 par. 1 lit. f. (other requests) GDPR. Without expressed consent of the affected person, this personal data will not be disclosed to third parties.
I delete the requests if they are no longer required or if there are no legal archiving requirements. I check the requirement every two years.
Cookies are small text files stored by a user's browser, which may contain different information. Cookies are primarily used to save user information during or after a visit of an online service or to recognize a particular user or device. Temporary cookies (also called "session cookies" or "transient cookies") are automatically deleted after a user leaves an online service and closes their browser. Persistent Cookies remain stored even after the browser is closed, allowing for example a login status to be obtained for a longer period of time. In addition, such cookies can save user interests and be used for reach measurements or marketing purposes. Third-party cookies refer to cookies not set by the responsible person, whereas those assigned by the responsible person are referred to as first-party cookies.
I only use first-party cookies e.g. to allow users to add images they are interested in to a contact request and to temporarily save their input. This is similar to an online store, which remembers the items that a customer has placed in the virtual shopping cart via a cookie. This is especially necessary for more user-friendly services such as this technical function and therefore requires no separate consent. These cookies are automatically deleted when the session expires or the browser window is closed.
If you do not want cookies to be stored on your computer, you can deactivate the corresponding option in the system settings of your browser. There you can also delete already saved cookies. However, the exclusion of cookies can lead to functional restrictions of my online offer.
Due to my legitimate interests in the analysis, optimization and economic operation of my online offer within the meaning of Art. 6 par. 1 lit. f. GDPR, I use the reach analysis tool "Matomo". It is an open-source software for the statistical analysis of visitor traffic, with the data being processed by myself and stored on my server only.
The following data is processed and statistically evaluated:
- Browser type and browser version
- Operating system
- Date and time of server request
- Country of origin
- Number of visits and time spent on the website as well as subpages
- operated external links
- IP address (will be automatically anonymized before it is saved).
Matomo forms pseudonymized user profiles that allow me to evaluate the use of my online services, optimize and develop a more needs-based design.
Depending on the settings, cookies can also be stored by Matomo, which have a retention period of 7 days and are then automatically deleted again. The creation of pseudonymous user profiles is restricted when cookies are dispensed and a new visit, if it comes from a new IP address, is not associated with previous visits, but is considered as new.
This information will not be passed on to third parties and the information will not be linked to other data sources. Matomo is also configured to honor a »Do-Not-Track« setting in the browser. If you disagree with the storage and evaluation, please activate the »Do-Not-Track« setting of your browser.
The user data logs will be deleted after 6 months at the latest.
If I disclose data to third parties or commissioned processors, provide them with or otherwise grant access to the data, this is done only:
- on the basis of a legal permission (for example, if a transmission of data to third parties is required to fulfill a contract in accordance with Art. 6 par. 1 lit. b GDPR),
- You have agreed
- a legal obligation provides for this
- or based on my legitimate interests (for example, using contract processors such as web hosts, etc.). This is done on the basis of Art. 28 GDPR and a so-called "commissioned processing contract".
In order to realize my online offer, I use the following commissioned processors, which I have carefully selected (also in view of data protection) and with whom I have concluded order commissioned processing contracts:
Service provider for the hosting of my website is Uberspace, represented by Jonas Pasche, Kaiserstr. 15, 55116 Mainz, Germany.
Transmission to third countries (i.e. outside the European Union (EU) or the European Economic Area (EEA)) only takes place in connection with the use of third party services, the transmission of data to third parties in order to fulfill my (pre) contractual obligations, based on your consent, required by a legal obligation or based on my legitimate interests.
Subject to legal or contractual permissions, I process or let the data being processed in a third country only in the presence of the special conditions of Art. 44 et. seq. GDPR. That means the processing is e.g. on the basis of specific guarantees, such as the officially recognized level of data protection (e.g. for the US through the Privacy Shield) or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
On the basis of my legitimate interests within the meaning of Art. 6 par. 1 lit. f. GDPR, I may integrate third-party content and services, for example to include videos or fonts in my online offer (hereinafter referred to collectively as "Content").
This always presupposes that the third-party providers of this content perceive the IP address of the users, since they could not deliver the content to their browser without the IP address. The IP address is therefore required for the presentation of this content.
I strive to use only content providers who use the IP address solely to deliver the content, since third-parties may also use so-called pixel tags (invisible graphics, also called "web beacons") for statistical or marketing purposes which can evaluate the traffic of my online offer. In addition, cookies could be stored on the users' devices, containing technical information, usage data and meta / traffic data that may be read by the third-parties and associated with information from other sources.
The following contents or services can be integrated in my online offer:
Videos from the YouTube Platform of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.
As the responsible person, I have taken technical and organizational measures to ensure the most complete protection possible for personal data processed via my website. However, I would like to point out that data transmission on the Internet (for example, when communicating via e-mail) generally involves security gaps, so that absolute protection can not be guaranteed. Therefore, every person concerned is free to send personal data to me by alternative means, for example by telephone or mail.
I use SSL encryption throughout my online offering for security and privacy reasons. According to the state of the art, confidential contents and personal data which an affected person transmits to me via my website can not be read by third parties.
You can recognize an encrypted connection by the fact that "https://" is in front of the Internet address in the address bar of your browser instead of "http://". In addition, a lock symbol is displayed in or next to the address bar in most common browsers.
I only process and store personal data of affected persons for the period required to achieve the purpose of the storage or as provided in the laws or regulations to which I am subject by the European Directives and Regulators or any other legislator.
If the storage purpose is omitted or if a storage period prescribed by the European directives and regulations or any other relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
From the GDPR the following rights arise for each person affected by a data processing, which I am obliged to point out:
Right to confirmation and information
According to Art. 15 GDPR, you have the right to ask for confirmation as to whether personal data relating to you is processed by me. Furthermore, you have the right to obtain information about the data stored on your person as well as further information and a copy of this information.
You may demand information on the processing purposes and categories of processed personal data, the recipients to whom the personal data have been or are being disclosed (in particular for recipients in third countries or international organizations), the duration of storage and its criteria, the existence of rights (rectification, erasure, restriction of processing, opposition, complaint to a supervisory authority), information on the origin of the personal data, if not collected from the affected person, the existence of automated decision-making including profiling (in accordance with Art. 22 par. 1 and 4 GDPR) and information on the logic involved, as well as the scope and impact for the affected person, whether data has been transmitted to a third country or to an international organization, and whether appropriate guarantees are provided in the case of a transfer.
Right to rectification
According to Art. 16 GDPR you can immediately demand the correction of incorrect or the completion of your personal data stored by me.
Right to cancellation (right to be forgotten)
According to Art. 17 GDPR, you may request the deletion of your personal data stored by me, as far as the processing is not required for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of the public interest or for the assertion, exercise or defense of legal claims.
Right to restriction of processing
According to Art. 18 GDPR you can demand the restriction of the processing of your personal data, as far as the correctness of the data is denied by you, the processing is unlawful, I no longer need the data and you refuse their deletion, because you need it for assertion, exercise or defense of legal claims or if you have objected to the processing in accordance with Art. 21 GDPR.
Right to Data Portability
According to Art. 20 GDPR, you may request to receive your personal data provided to me in a structured, common and machine-readable format or to transfer the data to another person in charge.
Right to objection
According to Art. 7 par. 3 GDPR, you can revoke your once given consent to me at any time. As a result, I am no longer allowed to continue the data processing based on this consent for the future.
Right to complain to a regulator
According to Art. 77 GDPR you have the right to complain to a supervisory authority. Generally, you can contact the supervisory authority of your usual place of residence, your workplace or the supervisory authority responsible for me.
According to Art. 21 GDPR you have the right to refuse the processing of your personal data, which happens based on legitimate interests according to Art. 6 par. 1 s. 1 lit. f GDPR, and to file an objection if there are reasons for this arising from your particular situation or if the objection is directed against direct mail.
In the case of direct mail, there is a general right for objection, which I implement without statement of a particular situation.
Art. 6 par. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the affected person is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 par. 1 lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6 par. 1 lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the affected person or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 par. 1 lit. d GDPR. Finally, processing operations could be based on Article 6 par. 1 lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the affected person which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the affected person is a client of the responsible person (Recital 47 Sentence 2 GDPR).
I inform you that the provision of personal data is partly required by law (such as tax regulations) or may result from contractual arrangements (such as details of the contractor). Occasionally it may be necessary for a contract to be concluded that an affected person provides me with personal data that must subsequently be processed by me. For example, the affected person is required to provide me with personally identifiable information when I conclude a contract with her, otherwise it would mean that the contract with the affected person could not be closed.
The affected person must contact me prior to any provision of personal data by the person concerned. I clarify to the individual on a case-by-case basis whether the provision of the personal data is required by law or contract or is required for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of the non-provision of the personal data.
I renounce automatic decision making or profiling.
I reserve the right to change this Data Privacy Statement from time to time so that it always complies with the current legal requirements or to implement changes in my services or technical features of my online offer in the Data Privacy Statement (e.g. when introducing new services). Your new visit will be subject to the new Data Privacy Statement.
The current status of this Data Privacy Statement is always available on my website.
The collection, use and transfer of my own contact data published as part of the imprint obligation as well as other personal data mentioned on any of my pages for commercial purposes or the sending of not explicitly requested advertising is hereby contradicted. I reserve the right to take legal action in the event of such use or the unsolicited sending of promotional information, such as spam e-mails.
Personal data means any information relating to an identified or identifiable natural person (“affected person”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Affected person or data subject is any identified or identifiable natural person, whose personal data is processed by the person responsible for the processing.
Responsible is the natural or legal person, public authority, agency or other body that alone or together with others decides on the purposes and means of processing personal data.
Third party is a natural or legal person, public authority, agency or other body which is not, however, the affected person, the person responsible, a commissioned processor or a person who is under the direct responsibility of the responsible person or commissioned processor and allowed to process personal data.
Commissioned processor is a natural or legal person, agency, agency or other body that processes personal data on behalf of the responsible person.
Consent of the affected person is any freely given, specific, informed and unambiguous indication of the affected person’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific affected person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
As of: May 2018