Data protection declaration Website and services Ernst Prost Stiftung
(Version: 6/20/2018)
Contents
1. About us
2. Why do we process your data?
3. What data about you do we collect and process?
4. Who has access to your data and who do we disclose your data to?
a) Access
b) Disclosure to third countries and legal basis
c) Disclosure to criminal enforcement and investigation authorities
5. Storage periods
6. Your rights
a) Right to access and data portability
b) Right to rectification, restriction and erasure
c) Rights to object
d) Right to withdraw consent
e) Right to complain to the supervisory authority
f) Contact data
7. Use of our website – profiling, cookies and web tracking
a) Basic information about cookies and opting out
b) Google Analytics
c) Youtube video, embedded via iFrame in extended data protection mode
d) Social media buttons
8. Further information and rules regarding individual services
a) E-mail contact
b) Request for support
c) Donations
d) Data processing for direct mail purposes
1. About us
The charity Ernst Prost Stiftung is the data controller for the collection, processing and storage of your data. You can always consult our details in our <Legal Notice > .
The careful handling of your personal data has our top priority. When processing your data we comply with the legislative provisions, e.g. the General Data Protection Regulations (GDPR) and the associated national provisions.
This data protection declaration applies to all of our charity’s websites accessible via our domain (www.ernst-prost-stiftung.de). If when exploring our services you change to websites administered by other operators, other data protection rules will apply, for which the individual operators will be responsible.
As we wish to give you a full overview of the processing of personal data in our charity, you will find below a summary of all our services in which we collect and process personal data.
If, in the case of particular services, special or additional conditions apply or we ask you for your consent, we will inform you of this separately prior to use of the service (e.g. an request for support).
In addition we take many different security precautions for protecting your personal data. For instance, transfer of data between your web browser and our service is generally encrypted for transport, and we also have a large number of technical and organizational measures designed to protect your data at all times.
2. Why do we process your data?
Generally speaking, you may use our website without disclosing your identity. If you wish to contact us, we ask you for your name and other personal information. It is your decision whether to provide this (extended) data. Data which we need to obtain from you for providing our services are noted as such.
The collection and processing of your personal data is done for the following purposes and on the following legal grounds:
- Contract initiation under GDPR Art. 6-1 a) and b)
- Contract performance under GDPR Art. 6-1 b)
Management of the supported organizations under GDPR Art. 6-1 b) and c), f)
Communication and data exchange under GDPR Art. 6-1 a), b), c), f)
External image and advertising under GDPR Art. 6-1 a), f)
- Implementation of declarations of consent under GDPR Art. 6-1 a)
Assuring the proper operation of a data processing system under GDPR Art. 6-1 c) and f)
3. What data about you do we collect and process?
We collect various categories of personal data from you. Personal data means all information which can be referred to an identified or identifiable natural person; natural persons will be deemed identifiable if they can be identified directly or indirectly, especially by correlation with an identifier, such as a name. Personal data includes information such as your name, address and telephone number. Statistical information that cannot be directly or indirectly associated with you – such as the popularity of individual websites operated by us or the number of users of a site – is not personal data. This includes directly and indirectly collected data. In both cases, data are only collected to the necessary extent; data are processed solely for the purposes in Section 2. Deciding whether to transfer data to us that will optimize the use of our site for you but is not absolutely necessary, is a matter for you. Such data fields are known as ‘voluntary’.
Directly collected data comprise:
• Title, name and contact data (postal address, e-mail, telephone) as part of a request for support.
• Data which you disclose to us actively and consciously while using our services
•Further data which you voluntarily disclose to us.
In addition, data about you are collected indirectly when using our services:
• technical connection data, e.g. the requested page on our website, your IP address, shortened to the last three digits, data and time of your request, the terminal equipment used, browser configuration data.
Minors:
Our website is not intended for use by minors and we do not knowingly collect personal data from minors.
If persons under the age of 16 disclose personal data to us, this is only permitted if parents or legal guardians have themselves consented or approved the consent of the young person. Pursuant to GDPR Art. 8 -2, the contact details of the parent or legal guardian must be communicated to us as evidence of the consent or the approval of the parent or legal guardian. These data and the minor’s data will then be processed according to this data protection declaration.
If we determine that a minor under the age of 16 has sent us personal data without the actual consent of parents or guardians or their approval of the consent of the minor, we will erase the data immediately.
4. Who has access to your data and who do we disclose your data to?
a) Access
Access to your personal data stored by us is limited to our employees and the service providers contracted by us who on account of their job need to deal with these personal data.
If third parties receive access to your data, we have obtained your permission for this or there is a legal basis for it.
We also use service providers for performing services and processing your data (e.g. for hosting, mailing of letters or e-mails, the maintenance and analysis of databases, the safeguarding of our web servers or for website tracking). If special rules apply here, we have subsequently performed them in in connection with the individual service. These service providers process the data exclusively on our instructions and are obliged to comply with the applicable data protection regulations. All contract processors have been carefully selected and are given access to your data only to the extent and for the period which is necessary for performing the services or to the extent to which you have consented to the processing and use of the data.
b) Disclosure to third countries and legal basis
The servers of some of the service providers used by us are located in the USA and other countries outside the European Union. Companies in these countries are subject to data protection laws that do not generally protect personal data to the same extent as is the case in the Member States of the European Union. If your data are processed in a country without a recognized high data protection level such as the European Union has, we ensure by contractual provisions or other recognized instruments that your personal data are appropriately protected. Within the individual services we again expressly refer to this.
If disclosure of personal data takes place in third countries, this will be on the basis of the EU Commission’s adequacy decision regarding the EU-U.S. Privacy Shield pursuant to GDPR Art. 45 or the EU Standard Treaty 2010 pursuant to GDPR Art. 46-2 c) in conjunction with the EU Commission’s decision of 02/05/2010 (2010/87/EU) or pursuant to your consent under GDPR Art. 49-1 a).
c) Disclosure to criminal enforcement and investigation authorities
In exceptional cases we disclose personal data to criminal enforcement and investigation authorities. This is done on the basis of corresponding legal obligations, e.g. from the German Code of Criminal Procedure (Strafprozessordnung), the German Tax Code (Abgabenordnung), the Money Laundering Act (Geldwäschegesetz) or state police laws.
5. Storage periods
We store personal data within the scope of legal regulations or your consent.
We use the following criteria to determine the specific storage duration:
We save personal data until the purposes for which they were collected expire (e.g. upon the termination of a contractual relationship or with the last activity, if no continuing obligation exists, or in the case of a withdrawal of your consent for specific data processing).
Any other storage will only take place if
• there is a statutory duty of retention (e.g. according to the German Tax Code or Commercial Code);
• the data are still needed for the enforcement and exercise of legal claims or for defense against legal claims, e.g. as a result of technological and forensic requirements for fending off attacks on or monitoring of our web servers;
• deletion would be against such interests of the data subjects as merit protection;
• or
• there is some other exception under GDPR Art. 17-3.
6. Your rights
You have a number of legal rights which we will point out in the following. In addition, our Data Protection Representative is naturally also at your disposal for all questions on data about your person that are collected and processed by us. The Representative can be contacted using the contact details given below.
A) Right to access and data portability
You have at all times the right to access the personal data relating to us which have been processed by us.
If the data processing is based on your consent or on a contract pursuant to GDPR Art. 6 -1 b) , you may, pursuant to GDPR Art. 20-1, also request that you receive the personal data stored about you in a structured, established and machine-readable format. At your request, we will also transfer these data directly to a recipient determined by you.
b) Right to rectification, restriction and erasure
Furthermore, pursuant to GDPR Arts. 16 to 18, you may request that we rectify, restrict (block) or erase your personal data if we have processed the data incorrectly, if there are grounds for restricting further data processing or if the data processing has become unlawful for various reasons, or if its storage is inadmissible for other legal reasons. We would point out that your right to
erasure may be limited by statutory retention periods.
c) Rights to object
If our data processing is justified solely by our legitimate interests according to GDPR Art. 6-1 f), you may raise an objection to this processing in accordance with GDPR Art. 21-1. We will then stop processing your data unless we can show grounds for processing that are worthy of protection and which override your interests, rights and freedoms, or the processing serves to enforce, exercise or defend a legal claim. Furthermore you always have the right to oppose the use of your data for the purposes of direct advertising with future effect, according to GDPR Art. 21-2.
d) Right to withdraw consent
If you have permitted the processing of your personal data by your consent, you have according to GDPR Art. 7-3 a right to withdraw your consent with future effect.
e) Right to complain to the supervisory authority
You are at liberty to lodge a complaint with a supervisory authority, if you are of the opinion that our processing of your personal data infringes the European General Data Protection Regulation or other national and international data protection legislation.
The contact data for the supervisory authority responsible for us are:
Bayerisches Landesamt für Datenschutzaufsicht
Visitor’s address
Promenade 27 (Schloss)
91522 Ansbach
Germany
Postal address
Postfach 606
91511 Ansbach
Germany
Availability
Tel.: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
E-mail: poststelle@lda.bayern.de
f) Contact data
To exercise your rights, you can send us an informal message at the contact details below. Please also address the withdrawal of your consent to the contact details below, indicating which declaration of consent you wish to withdraw:
Data Controller
Ernst Prost Stiftung
Schloßhof 1
89340 Leipheim
Germany
Tel.: +49 82 21 / 3 68 87 60
E-mail: info@ernst-prost-stiftung.de
7. Use of our website – profiling, cookies and web tracking
a) Basic information about cookies and opting out
In certain areas of our website we use so-called cookies, e.g. for recognizing the preferences of visitors and optimizing the website accordingly. This simplifies navigation and enables a high degree of website user-friendliness. Cookies also help us to identify particularly popular areas of our website. Cookies are small files that are stored on a visitor’s hard drive. They allow information to be stored for a certain period of time and permit the identification of the visitor’s computer. For better guidance of users and individual presentation of performance, we use permanent cookies.
We also use so-called session cookies that are automatically deleted when you close your browser. You can set your browser so that it informs you about the placement of cookies. This makes the use of cookies transparent for you. This takes place in order to check the authorization of actions and authentication of the requesting user of our services. The legal bases are GDRP Art. 6-1 c) in conjunction with GDRP Art. 32 and Art. 6-1 f). Our legitimate interest is the safeguarding of our web server, e.g. in order to defend it against attacks, and assuring the functionality of our services.
We only use cookies that are not technically necessary with your express consent, which you may of course withdraw at any time.
In connection with our cookie information on our website, you have accordingly consented to the following declaration:
This website uses tracking cookies or tracking software in order to offer you the full functionality of our website and thus a better online experience. Further information on the cookies and webtracking process used by us and your consents to these can be found in our data protection declaration under https://www.ernst-prost-stiftung.de/index.php/en/2-uncategorised/66-data-protection
However, cookies that are not technically necessary or our tracking software are only activated after you have given us your consent. [Agreed]
If you completely exclude the use of cookies, you will not be able to use certain functions of our website – including the possibility of a cookie-based opt-out of tracking. Please permit any opt-out cookies on your services, in connection with which you would like to disable tracking.
Please also remember that deletion of all cookies will mean that opt-out cookies are deleted too. You will therefore have to reset these. Furthermore, cookies are associated with the browser, which means that they have to be specially set in each browser used by you on each device used by you. The necessary links can be subsequently found in the description of the service in question.
The following cookies - assuming you have permitted them and not set one or more opt-out cookies - are used for the further described purpose:
b) Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC ('Google'). Google Analytics uses so-called cookies, text files which are stored on your computer and which allow an analysis of your use of the website. The information generated by the cookie concerning your use of this website is generally passed on to a Google server in the USA and saved there. In the event that anonymous use of IP should be activated on this website, your IP address is first abbreviated by Google within Member States of the European Union or other signatories to the European Economic Area Treaty. Only in exceptional circumstances is the full IP address transferred to a Google server in the USA and abbreviated there. On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to the use of the website and of the Internet to the website operator. The IP address transferred from your browser as part of Google Analytics is not added to other Google data. One way to object to web analysis by Google Analytics is to set an opt-out cookie that instructs Google not to store or use your data for web analysis purposes. Please note that in this solution the web analysis will not take place only for as long as the browser stores the opt-out cookie. If you would like to set the opt-out cookie, please click https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable.
You can avoid the saving of cookies by adjusting your browser software appropriately; however, we would like to point out that in this case it is possible that you will not be able to use all the functions of this website. Furthermore, you can prevent the recording of the data created by the cookie and related to your use of the website (incl. your IP address) as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link. The current link is: http://tools.google.com/dlpage/gaoptout?hl=de.
Data recipients: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
c) YouTube video, embedded via iFrame in the extended data protection mode
We use YouTube, a Google service, to provide you with video content. For protection of your privacy we have activated the extended data protection mode.
YouTube also uses cookies, in order to collect information about visitors to their website. YouTube uses these, among other things, to collect video statistics, to prevent fraud and to improve user-friendliness. Calling up a video usually also leads to a connection with the Google DoubleClick network. Starting the video could trigger further data processing operations, especially if you are already logged in to YouTube. We have no influence on this.
By pressing the start button on the video, you agree to disclosure of data to YouTube LLC:
Further information about data protection on YouTube can be found in their data protection declaration(http://www.youtube.com/t/privacy_at_youtube).
Data recipient: Youtube LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
d) Social media buttons
On our website we use the Social Media Plugin from Facebook Inc.
If when visiting our website you are simultaneously logged into Facebook (e.g. at www.facebook.com) or are using the plugin (e.g. pressing a ‘Like’ button), a direct connection between your browser and Facebook will be established which will collect any personal data (IP address) and other information which can be compressed into a personal data item (e.g. browser system configuration, mobility and use data).
As this transfer is a direct one, we have no knowledge of the data disclosed or of the processing procedures. The data controller for these data according to GDPR Art. 4-17 is Facebook alone.
Consequently, the so-called 2-click model has been installed on our website, i.e. the Social Media Plugins are initially deactivated online buttons which create no contact with the servers of the operator in question. Only when you activate them and thus have truly consented to communication with the provider, will the data from these be actually collected.
By a second press of the deactivated button, you consent to the disclosure of the data to the social network provider:
”By a second press of the deactivated button you consent to disclosure of the data to the social network provider. Further information on the cookies used for this will be found in our data protection declaration under https://www.ernst-prost-stiftung.de/index.php/en/2-uncategorised/66-data-protection“
Recipient: Facebook Inc., Menlo Park, CA 512374, USA
Privacy-Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
8. Further information and rules regarding individual services
a) E-mail contact
Data which you disclose to us by e-mail will be processed for purposes of communication and data exchange, i.e. in order to answer your specific inquiry. Please remember that these data are sent over the Internet unencrypted. We therefore recommend the use of encryption software. These data are stored as long as their processing is required for these purposes or until the expiry of any subsequent retention periods.
b) Requests for support
We offer you the opportunity to apply to us for support. When you do so, we ask for your name and contact data. Please send the request for support to us by mail to the address indicated. If you would like to send the request by e-mail, please remember that these data are transferred in unencrypted form, and hence we recommend the use of encryption software for this purpose. Your request for support will be passed only to the persons dealing with it. All parties involved will treat your documents with the necessary care and with absolute confidentiality.
If we refuse your request, we will delete your documents after the expiry of the statutory retention periods.
c) Donations
You make make donations to our projects. You may either transfer money, use our text donation option, or donate through many online shops via www.click4charity.net or by Amazon Smile.
If you transfer a donation to us by bank transfer, you may include your address in the intended use field. We use these data to send you a donation acknowledgment.
If you use the other alternatives for donating, we retain no personal data from you and your donation will be anonymous.
d) Data processing for purposes of direct advertising
Letter advertising
To the extent permitted by law we may also use your name and postal address known to us for sending advertising material for our own offers. The legal basis for this is GDPR Art. 6-1 f) in conjunction with GDPR recital 47. Our legitimate interest is the promotion of sales or demand among our existing customers. Of course, you can object to the processing of your data for advertising purposes at any time with future effect. A notification in text form to the contact details above is sufficient. We will then delete your data from our distribution list. The data that is evidence for your objection will then kept for a further 6 years as per GDPR Art. 17-3 e). During this time your personal data will be blocked from further processing.
Telephone advertising
To the extent permitted by law, for business customers, we may also use your name, company affiliation and your stated telephone number, in order to inform you of our own offers that we presume you will be interested in. The legal basis is GDPR Art. 6-1 f) in conjunction with GDPR recital 47, and the German Unfair Competition Act (UWG), S. 7-2 (2). Our legitimate interest is the promotion of sales or demand among our existing business customers. Of course, you can object to the processing of your data for advertising purposes at any time with future effect. A notification in text form to the contact details above is sufficient. We will then delete your data from our distribution list. The data that is evidence for your objection will then kept for a further 6 years as per GDPR Art. 17-3 e). However, during this time your personal data are blocked from further processing.