Data Protection Information

It goes without saying that the protection of your personal data in accordance with the data protection regulations, in particular the German Federal Data Protection Act ("Bundesdatenschutzgesetz", BDSG) as well as the EU General Data Protection Regulation (GDPR), is an important concern for me.

With this data protection information I would like to inform you about how I ensure this protection and in what way and to what extent personal data (hereinafter also referred to as "data") is processed when communicating with me, when using this website and the services offered.

The data controller in regard to the above-mentioned data processing is:

In order to achieve the highest possible level of security with regard to data security when processing personal data, various security measures are taken to protect your data.

These measures include the encrypted transmission of your data using the encryption technologies SSL (Secure Socket Layer) or TLS (Transport Layer Security). These techniques are intended to prevent data streams from being intercepted by third parties and being viewed in plain text. You can recognize an existing SSL encryption by the "https://" in the address line of your browser. Modern browsers also display, for example, a lock symbol or warn you if no encryption is used. You can find further information on this in the respective "Help" secion of your browser. This way, you can check that your data is being transmitted securely at all times.

There are several possibilities to contact me. Especially by mail, telephone or e-mail as well as by using the contact form (webmailer) on my website.

If, depending on the chosen means of communication, the provision of certain information is voluntary, you will be notified of this fact if such notification is suitable for the respective means of communication. Voluntary information can be - as far as such information is not already required due to the choice of the respective means of communication - e.g. your title and address, your name, your (mobile) phone number or your e-mail address.

When you contact me, I will process not only the information provided by you in the course of contacting me but also the date and, if applicable, the time of your request. This processing serves the purpose of answering your contact request or processing your inquiry. The personal data received in this way will in gerneral only be transferred to third parties if this is necessary for the processing of your contact request (e.g. if the consultation of third parties is necessary) or when I am entitled or obliged to do so for other reasons (see also "Transferring Data").

The processing of your data in connection with a contact request is carried out in response to your inquiry and is based on Art. 6 (1) sentence 1 lit. b) GDPR since the details you provided are necessary for processing the respective contact request. Furthermore, the processing of any further information you have voluntarily provided is based on your consent andt therefore Art. 6 (1) sentence 1 lit. a) GDPR. Insofar as your consent is the legal basis for the processing, please also note the information on your right to withdrawal in this regard in the section titled "Right to withdraw a data protection Consent".

In principle, the data collected or transmitted will be stored at least for as long as is necessary to answer your inquiry. In case of inquiries in connection with the services offered and in the context of a possible contractual relationship, including the initiation of such a contractual relationship, the data will be stored for the duration mentioned in the section titled "Performance of a Contract" or, should a contract not be concluded initially, for a period of six months after the last correspondence occured. The latter is done in my legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f) GDPR, to have the information at hand and not needing to ask for it again in the event of a new request within this period of time. Further storage of data is possible in the cases mentioned in section "Duration of Processing / Retention Period".

When commissioning or consuming services, including the correspondence conducted in this context, I process your data in accordance with the aforementioned Section 3.1.1. and store the data collected or transmitted also at least for as long as the storage period stated therein, plus the respective warranty periods in respect to the performance of the contract on the basis of Art. 6 (1) sentence 1 lit b) GDPR.

Of course, I would like to answer your inquiries regarding the services with the necessary diligence. Therefore, I require all relevant information. Such information has been provided to me, inter alia, in the context of the assignment. Insofar as the information provided contains personal data, I will also process teh data for the purpose of my performance of the contract in accordance with Art. 6 (1) sentence 1 lit. b) GDPR and on the basis of Art. 6 (1) sentence 1 lit. f) GDPR in my legitimate interests of effectively organising the provision of the services and demonstrating the proper fulfilment of the contract repsectively defending against any unjustified claims for defects.

The data will also be stored at least for the duration of the contractual relationship and - beyond that - until the expiry of any periods of limitation. The expiry of limitation periods is determined in accordance with Sections 194 ff. German Civil Code ("Bürgerliches Gesetzbuch", BGB) and can be up to 30 years; the applicable storage period thus always depends on the individual case.

In addition, the data is stored within the scope of the storage obligations under accounting or tax law applicable to business documents and records (see also "Duration of Processing / Retention Period") on the basis of the relevant legal obligations and in accordance with Art. 6 (1) sentence 1 lit. c) GDPR.

When visiting my website, data processing always takes place, even if you visit the website without using any specific services like the contact form. Without drawing conclusions about your person, the following data is processed in this regard:

• the previously visited website (so-called referrer URL);
• the visited (sub)pages of my website;
• the date and time of access;
• the Internet Protocol address (IP address) of the accessing terminal device;
• the type of the terminal device with which the access takes place (e.g. computer, mobile phone etc.);
• the operating system and browser of the terminal device, including version number and language set there.

This information is required for the following purposes:

• correct delivery of the contents of the website including the optimization and promotion of the website, e.g. to adjust the view of a low resolution on a mobile device;
• ensuring the permanent functionality of the information technology systems and technology of the website; and
• providing law enforcement authorities with the necessary information for prosecution in the event of a cyber attack.

This data is processed and stored in so-called server log files as long as it is necessary for the above-mentioned purposes, but for a maximum of 14 days. Afterwards, the data is anonymised and statistically evaluated for the same purposes. This makes it possible to ensure a smooth delivery of the website also for the future and to increase data protection and data security.

Data processing is thus carried out for the purpose of providing the services offered and is based in this respect on Art. 6 (1) sentence 1 lit. b) GDPR. In addition, it serves to ensure the integrity of the technology and services and their best possible presentation. It is therefore also in my legitimate interest in this respect and is based on Article 6 (1) sentence 1 lit. f) GDPR.

In order to ensure that the website is designed to meet your needs and to provide you with the best possible user experience, the functionality of the services is continuously checked in order to correct or improve functions that have been identified as faulty or user-unfriendly. I would also like to know whether I reach the target group I am addressing. For this I need information about how and to what extent the website is used. I obtain this information by using the tool Matomo (formerly "Piwik") for reach measurement and usage analysis. Matomo creates pseudonymised usage profiles. This enables me to learn more about your click and surfing behaviour when using my services. In this context, the same data as mentioned in paragraph 3.2.1 is processed, however the IP address is shortened by the last octet.

Data processing in this regard is carried out in my above-mentioned legitimate interests and is based on Art. 6 (1) lit. f) GDPR.

If you have activated the "Do-not-Track" option in your browser settings, the data processing mentioned in this paragraph 3.2.2 will not take place.

Generally, I process and store personal data only for as long as this is necessary to achieve the purposes further described under Section 3.

After achievement or omission of the purpose, or when you exercise your right to delete data, I will delete the personal data. That is, unless I am legally entitled (for example, for evidence purposes within the context of our contractual relationship) or obligated (for example, for tax reasons) to further process or store the data.

The retention period within the scope of such an aforementioned right or obligation may be longer than was necessary for the original processing purpose. With regard to the storage of invoicing documents, for example, there is a tax law obligation to store them for a period of 10 years (Section 147 (3) of the German Fiscal Code ("Abgabenordnung")). Retention for evidentiary purposes is effected until the expiry of the respective limitation period (see in particular Sections 194 ff. German Civil Code ("Bürgerliches Gesetzbuch", BGB)). However, if the original purpose has been achieved or has ceased to apply, I will process the personal data only for these strictly limited purposes. The data will then be permanently deleted, once the legal ground ceases to apply respectively when the obligation to retain the data expires.

A transfer of personal data is possible when I, as the data controller, commission a third party to process this data (so-called "data processing"). Such a transfer in the context of a data processing is strictly regulated by the GDPR in Art. 28, which ensures that your data must always be handled with due care. The data processors are subject to my control in terms of data protection law and are subject to my instructions, so that your rights (in particular those set out in the following section "Your rights as Data Subject") are always respected.

I have currently commissioned the following persons or companies to carry out data processing (data processing pursuant to Art. 28 GDPR):

• netcup GmbH, Daimlerstr. 25, 76185 Karlsruhe (web hosting)

Your data will only be transferred to third parties who are not data processors as described in section 3.

As a person affected by the processing of personal data, you have certain legally warranted rights, about which I would like to inform you in the following.

The rights set out in sections 6.1 to 6.8 can be asserted against me as the data controller. All relevant contact details can be found in the above section "Data Controller". However, if you wish to exercise your right of appeal to a supervisory authority (see Section 6.9), please contact the competent supervisory authority directly.

You have the right to at any time receive information about the stored personal data concerning you. This concerns the question of whether I process such data at all and - if so - the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You also have a right of information as to whether personal data have are transferred to a third country or to an international organisation. If this is the case, you also have the right to be informed of the appropriate guarantees relating to the transfer.

You have the right to obtain a copy of the personal data which are subject to the processing. If you lodge such a request electronically (e.g. by e-mail) and nothing to the contrary is mentioned within your request, I will provide you with the information in a commonly used electronic form. The first copy to be provided is free of charge for you. For all further copies that you request, you may be charged a reasonable fee based on the administrative costs.

The right to access follows from Art. 15 DS-GVO.

You have the right to demand the correction of incorrect personal data concerning you without undue delay. You also have the right to request the completion of incomplete personal data, including by means of a supplementary statement, taking into account the purposes of the processing.

The right to rectification follows from Art. 16 GDPR.

You have the right to obtain from me the erasure of personal data concerning you without undue delay and I shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you have withdrawn consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing;
• you object to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which I am subject;
• the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR .

However, there is no right to erasure insofar as the processing is necessary,

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which I am subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in me;
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims.

If one of the above reasons applies and if you request the erasure of your personal data and when there is no exception according to the above points, I will arrange for the erasure.

The right to erasure follows from Art. 17 GDPR.

You have the right to obtain from me the restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by you, for a period enabling me to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• I no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
• you have objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate reasons I have invoked outweigh yours.

The right to restriction of processing follows from Art. 18 GDPR.

As far as this does not adversely affect the rights and freedoms of others, you have the right to receive the personal data concerning you, which you have provided to me, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from me, where:

• the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR; and
• the processing is carried out by automated means.

You also have the right, when exercising your right to data portability, to obtain that the personal data be transferred directly from me to another data controller, as far as this is technically feasible.

The right to data portability follows from Art. 20 GDPR.

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions.

I will no longer process the personal data unless I can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing occuurs for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, I will no longer process your personal data for such purposes.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

The right to object follows from Art. 21 GDPR.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision (a) is necessary for entering into, or performance of, a contract between you and me or (b) is authorised by Union or Member State law to which I am subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or (c) is based on your explicit consent.

In the cases referred to in points (a) and (c), I will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on my part, to express your point of view and to contest the decision.

This right follows from Art. 22 GDPR.

You have the right to withdraw your consent to the processing of personal data in whole or in part at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Your right to withdraw a granted consent under data protection law follows from Art. 7 (3) GDPR.

You have the right to lodge a complaint with the supervisory authority. This right is based on Art. 56 (2) GDPR.

The data protection information valid at the time of collection applies in each case. The right to change the data protection information (in particular to adapt it to a changed factual or legal situation) is reserved.

If applicable, any changes will be communicated in a suitable form. This applies in particular to such changes which concern the use and processing of data which deviate from the original purpose of processing.

Any use of your personal data based on your consent will be made solely to the extent to which you have given your consent, irrespective of any changes to the data protection information in the meantime. Should it be necessary, I will therefore ask you to give your consent again.