Privacy Policy
The controller within the meaning of the European Union’s General Data Protection Regulation (GDPR) and other national data protection laws of Member States as well as any other applicable data protection provisions is:
I. Name and address of the controller
Ise Bosch
Dreilinden gGmbH
Alte Königstr. 18
22767 Hamburg
The controller’s data protection officer is:
Uwe Bienasch
II. General information on data processing
1. Scope of the processing of personal data
We collect and use the personal data of our users strictly to the extent necessary to provide a functioning website as well as to make available our content and services. We collect and use the personal data of our users on a regular basis but only after the user has given consent. Exceptions only apply in cases where it is not possible to obtain prior consent for factual reasons and where statutory regulations permit the data to be processed. The following types of data are processed:
– master data (e.g., names, addresses)
– contact data (e.g., emails, phone numbers)
– content data (e.g., text entries, photos, videos)
– usage data (e.g., websites visited, content interests, access times)
– meta/communication data (e.g., device information, IP addresses)
2. Legal basis for the processing of personal data
Article 6(1)(a) of the GDPR provides the legal basis in cases where we obtain the consent of data subjects to carry out the processing of personal data. Article 6(1)(b) of the GDPR provides the legal basis for the processing of personal data that is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Article 6(1)(c) of the GDPR provides the legal basis for the processing of personal data that is necessary for compliance with a legal obligation to which our company is subject. Article 6(1)(f) of the GDPR provides the legal basis for the processing of personal data that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
3. Data retention and erasure
The data we process will be erased or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless expressly stated otherwise in this privacy policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and its erasure does not conflict with any statutory data retention obligations. If the data are not erased because it is needed for other legally permissible purposes, the processing of these data will be restricted. This means that the data will be blocked and will not be processed for any other purposes. This applies, for example, to data whose retention is required for commercial or tax reasons.
III. Website provision and log file creation
1. Description and scope of data processing
When our website is accessed, our system automatically collects data and information from the computer system of the requesting computer.
The following data are collected for a limited period of time:
(1) information about browser type and browser version
(2) the user’s operating system
(3) the user’s internet service provider
(4) the user’s IP address
(5) date and time of access
(6) websites from which the user’s system accesses our website
The data are stored in our system’s log files. It is used solely for the purpose of identifying potential malfunctions and is erased within seven days at the latest. Article 6(1)(f) of the GDPR provides the legal basis for the temporary storage of the data and log files. The temporary storage of IP addresses by the system is necessary in order to enable the transmitting of the website to the user’s computer. We must retain the user’s IP address for the duration of the session for this purpose. Storage in log files is carried out to ensure the website functions properly. We also use the data to optimize the website and to ensure the security of our IT systems. The data we collect here are not analyzed for marketing purposes, nor is it used to establish your identity. The uses stated above constitute a legitimate interest to process data pursuant to Article 6(1)(f) of the GDPR. Both the collection of these data for the purpose of making the website available and the storage of data in log files are indispensable to the operation of the website. There is therefore no possibility for users to lodge an objection to such use.
2. Processing of contact data
When users contact us (e.g., via the contact form, email, phone or social media), information about the user will be used pursuant to Article 6(1)(b) of the GDPR to handle and manage the contact inquiry. The information about the user might be stored in a customer relationship management (CRM) system or a similar contact management tool. We will erase inquiries in so far as these are no longer needed. We examine the necessity to retain such information every six months; statutory archiving obligations shall also apply.
IV. Plug-ins and tools
1. YouTube
Our website uses plug-ins from YouTube, which is operated by Google. The operator of the website is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
If you visit one of our pages featuring a YouTube plug-in, a connection to YouTube’s servers is established. Information about which of our pages you have visited is relayed to YouTube’s servers.
If you’re logged in to your YouTube account, YouTube allows you to link your browsing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
YouTube is used to present our online content in an appealing way. This constitutes a legitimate interest pursuant to Article 6(1)(f) of the GDPR.
For more information on how YouTube handles users’ data, see Google’s privacy policy at https://policies.google.com/privacy?hl=en.
2. Amazon Associates Programme
Based on our legitimate interests (i.e., interest in the cost-efficient operation our online presence within the meaning of Article 6(1)(f) of the GDPR), we are a participant in the Amazon EU Associates Programme, an affiliate advertising programme designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.de. Amazon uses cookies to trace the origins of orders. Among other things, Amazon can detect that you clicked the affiliate link on our website and subsequently purchased a product on the Amazon platform.
Further information about how Amazon uses the data and how you can lodge an objection can be found in Amazon’s privacy notice:
https://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&language=en_GB&nodeId=3312401.
VI. Rights and remedies
If your personal data are processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:
1. Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data concerning you or restriction of processing of such personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from you, any available information as to their source;
(8) you have the right to obtain from the controller information as to whether or not personal data concerning you are being transferred to a third country or to an international organization. Where that is the case, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
2. Right to rectification
You have the right to obtain from the controller the rectification of inaccurate personal data concerning you, as well as the right to have incomplete personal data completed. The controller is obligated to carry out the rectification without undue delay.
3. Right to restriction of processing
You have the right to obtain from the controller restriction of processing where the following applies:
(1) you contest the accuracy of personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and the you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; or
(4) you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where the processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If you have obtained restriction of processing pursuant to the above requirements, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase such personal data without undue delay where one of the following grounds applies:
(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to Article 6(1)(a), or Article 9(2)(a) of the GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(4) the personal data have been unlawfully processed;
(5) the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which you are subject;
(6) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
Informing third parties
Where the controller has made personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Derogations
The right to erasure shall not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by the European Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9(1)(h) and (i) as well as Article 9(3) of the GDPR;
(4) for the establishment, exercise or defense of legal claims.
5. Right to be notified
If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform you about those recipients if you request such information.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR;
(2) and the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. That right should not adversely affect the rights or freedoms of others.
That right shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. You can send an email regarding this matter to our data protection officer.
8. Right to revoke consent
You have the right to revoke, at any time, the consent you have given concerning the processing of your personal data. The legality of the data processing carried out up until the point of revocation remains unaffected by the revocation of consent.
9. Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorized by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.