This Privacy Policy explains how we collect and use your personal data (further defined as “data”) in the context of operating our business activities via our website and affiliates as well as extern online presences, such as our Social Media Profile (further defined together as “Online Presences”) and which rights and options you have in this respect. Concerning the used terminology, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Name and Address of the Controller
Meisterrat Berlin-Brandenburg e.V.
Am Krögel 2
D 10179 Berlin
Deutschland
info@meisterrat.com
Chairperson: Sylvia Brauer
www.direktorenhaus.com/imprint
Categories of processed data:
– Identification and Contact information (e.g., names, addresses, e-mail addresses, telephone numbers).
– Content information (e.g., texts, photos, videos).
– Usage data (e.g., used websites, content and access time preferences).
– Electronic identification data (e.g., device identifier, IP adresses).
Categories of concerned persons:
Visitors and users of the Online Presences (further defined together as “Users”).
Purposes of processed data:
– Provision of the online presence, its functions and contents.
– Response to contact enquiries and communication with users.
– Security measures.
– Reach measurement/Marketing.
Used Terminology:
“Personal data” means any information relating to an identified or identifiable natural person (further defined as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Legal basis for processing personal data:
According to Art. 13 GDPA we inform you about the legal basis for processing personal data. In case the legal basis of the GDPA is not named, the following is valid: The legal basis for processing personal data which is required for the performance of a contract to which you are a party (e.g. ordering publications and newsletters) is Article 6 (1) point (b) of the EU General Data Protection Regulation (GDPR). This also applies to pre-contractual measures. The legal basis for processing for compliance with a legal obligation to which the controller is subject is Art. 6 Abs. 1 lit. c GDPA and the legal basis for processing for the purposes of the legitimate interests pursued by the controller is Art. 6 Abs. 1 lit. f GDPA. In case that processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person the legal basis is Art. 6 Abs. 1 lit. d GPDA. Where we obtain consent to process personal data, the legal basis is provided by Article 6 (1) point (a) and Article 7 of the GDPR.
Security measures:
We implement appropriate technical and organisational measures, according to Art. 32 GDPA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Further we consider the data protection by design and by default, respectively by the selection of hardware, software as well as procedures, according to the principle of data protection through technical design and data friendly defaults (Art. 25 GDPA).
Cooperation with Processors and Third Parties:
If we disclose, transmit or give access to data to other persons or companies in the context of our processin, this is done on a legal basis (e.g. if the transmission to a third party, e.g. payment service providers, is necessary for the performance of a contract, on the basis of Art. 6 Abs. 1 lit. b GDP), you have given the permission, it is legally obligatory or on the basis of our interests (e.g. for the use of webhoster, etc.).
Where processing is to be carried out on behalf of a controller, it is carried out on the legal basis of Art. 28 GPDA.
Transfers of personal data to third countries:
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of the GDPA, the conditions laid down in Art. 44 GDPA are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions according to Art. 44 GDPA shall be applied in order to ensure that the level of protection of natural persons guaranteed by the GDPA is not undermined.
Rights of the data subject:
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the other information, as well as a copy of the data, according to Art. 15 GDPA.
According to Art. 16 GDPA, you have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
According to Art. 17 GDPA, you have the right to obtain from the controller the erasure of personal data concerning you without undue delay and according to Art. 18 DSGVO the right to obtain from the controller restriction of processing.
According to Art. 20 GDPA you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
You have the right to lodge a complaint with a supervisory authority, according to Art. 77 GDPA.
Withdrawal of consent:
You have the right to withdraw your consent at any time, according to Art. 7 Abs. 3 GDPA.
Right to object:
According to Art. 21 GPDA, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Cookies und right of objection:
The Online presences are using cookies. Cookies are text files that are stored in a computer system via an Internet browser.
Numerous Internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified using the unique cookie ID.
Through the use of cookies, the controller can provide the users of this website with more user-friendly services that would not be possible without the cookie setting.
Through the use of cookies, the information and offers on our website can be optimized in the interests of the user. Cookies allow us, as previously mentioned, to recognise our website users. The purpose of this recognition is to make it easier for users to utilise our website. For example, the user of a website that uses cookies does not have to re-enter his access data each time he visits the website, as this is taken over by the website and the cookie stored on the user’s computer system. Another example is the cookie of a shopping cart in an online shop. The online store remembers the articles that a customer has placed in the virtual shopping cart via a cookie.
The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
Erasure of data:
The processed data is being erased or restricted from processing according Art. 17 und 18 GDPA, where one of the following grounds applies, as long as the processing is not necessary:
-
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
-
the data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing
-
the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR
-
the personal data have been unlawfully processed
-
the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
-
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR
If one of the above reasons applies, and you wish to request the erasure of personal data stored by the controller, you may, at any time, contact the controller or any employee of the controller. The controller shall promptly ensure that the erasure request is complied with immediately.
Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The controller will take the necessary steps in individual cases.
In Germany, on the legal basis of §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 und 4, Abs. 4 HGB (Bücher, Aufzeichnungen, Lageberichte, Buchungsbelege, Handelsbücher, für Besteuerung relevanter Unterlagen, etc.), the storage of data is carried out for 10 years and for 6 years on the legal basis of § 257 Abs. 1 Nr. 2 und 3, Abs. 4 HGB (Handelsbriefe).
In Austria, on the legal basis of § 132 Abs. 1 BAO (Buchhaltungsunterlagen, Belege/Rechnungen, Konten, Belege, Geschäftspapiere, Aufstellung der Einnahmen und Ausgaben, etc.), the storage of data is carried out for 7 years, for 22 years in the context of properties and for 10 years for documents concerning electronically carried out services, telecommunication-, radio- and televisionservices that were given to non-entrepeneurs in EU member states and for whom the Mini-One-Stop-Shop (MOSS) was claimed.
Order processing in the onlineshop and client account:
We process the data of our customers in the context of the order transactions in our online shop in order to provide to them the offer and the ordering of the selected products as well as the payment and delivery.
Part of the processed data are identification, contact and communication data as well as contract and payment data of the our costumers, interested parties and other business partners.
The processing is being carried out on the legal basis of Art. 6 Abs. 1 lit. b and c for the purpose of the performance of a contract in context of the operation on an online shop, the accounting, distribution and the costumer service. For this we use Session Cookies for the storage of shopping basket content and permanent cookies for the storage of the login status.
We disclose the processed data to a third party only in the context of the delivery, payment or legal permits and duties towards legal advisers and agencies. The data will be processed in third countries only when necessary for the performance of a contract.
Optionally, users can create a user account for reviewing their orders. In the context of the registration the necessary information is specified. The user accounts are not public and cannot be indexed by search engines. If users have deleted their account the data will be deleted, conditional their storage is necessary for trading or fiscal reasons according to Art. 6 Abs. 1 lit. c GDPA. Information given in the user account remains until their erasure and following storage in the case of a legal obligation.
In the context of the registration and anewed registration as well as the using of our online services we are saving the IP address and the date of the user action. This is carried out on the basis of our legitimate interests as well as the interests of the users for security measures. The data will not be transmitted to a third party except when it is necessary for the purpose of our legitimate interests or it is a legal obligation according to Art. 6 Abs. 1 lit. c GDPA.
The data will be deleted according to the legal obligation and the necessity of the storage of data is evaluated every three years.
Contract performance:
The processing is being carried out on the legal basis of Art. 6 Abs. 1 lit. b. GDPA in order for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract. The processed data and the type, extent and purpose of the processing is determined through the contract.
The processed data contains the identification and contact data of the contracting parties (e.g., names, addresses, e-mail addresses, telephone numbers), the contract data (e.g., used services, contract content, contractual communication, names of contact persons) and payment data (e.g. bank details, history of payment).
Special categories of personal data is not processed except if this data is part of the assigned or contractual processing.
We are processing data that is necessary for the justification of the contract performance and refer to the necessity of their declaration, provided this is not evident for the contract parties. The data will only be disclosed to extern persons or companies if necessary within the context of a contract. We act according to the legal obligations and the instructions of the contracting body concerning the processing of data that is provided to us in the context of an order.
Extern payment service provider:
We are using extern payment service providers with whose platforms the users and we can carry out payment transactions (e.g. with link to the privacy policy, Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full), Klarna (https://www.klarna.com/de/datenschutz/), Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/), Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/), Visa (https://www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html), American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html)).
On the legal basis of Art. 6 Abs. 1 lit. b. GDPA we are using these payment service providers for the performance of contracts. We are using extern payment service providers for the purposes of the legitimate interests pursued by the controller or by a third party on the legal basis of Art. 6 Abs. 1 lit. f. GDPA.
Part of the data that is processed by the extern payment service providers are inventory data e.g. name and address, banc data, such as account and credit card numbers, passwords, TANs and checksum as well as contract, sum data and data concerning the recipient. The information is needed in order to carry out the transaction. The inserted data is only processed through the payment service provider and saved by them. That means we do not receive data concerning account or credit cards, only information with confirmation or negative information of the data of the payment. The data will possibly be transmitted on the part of the payment service providers to credit bureaus. This processing purposes the identity and solvency check. We refer to the terms and conditions of the payment service providers.
For the payment transactions the terms and conditions and privacy policies of the particular payment service provider apply, that can be accessed on the particular websites or transaction applications. We also refer to them concerning other information and assertion of rights of withdrawal, to information and other rights.
Administration, Financial Accounting, Office Organisation, Contact Administration:
We are processing data within the framework of administrative tasks and the organisation of our company, financial accounting and the adherence to legal obligations, e.g. storage. We are processing the same data that we are processing within the framework of the provision of our contractual processing. The legal basis for this is Art. 6 Abs. 1 lit. c. GDPA, Art. 6 Abs. 1 lit. f. GDPA. Concerned parties are costumers, interested parties, business partners and visitors of the website. The purpose and our interest for the processing is in the administration, financial accounting, office organisation, storage of data, thus tasks that serve the maintenance of our business actions, the noticing of our tasks and the provision of our services. The erasure of data with regard to the contractual processing and contractual communication are conforming with the tasks that are named concerning these processing actions.
We are disclosing or transmitting data to the financial administration, e.g. tax accountant or public accountant as well as other tollgates and payment service providers.
In addition, on the basis of our economic interests, we are saving data concerning suppliers, organizers or other business partners, e.g. fort he purpose of future contacting. This data that is business related in the majority, we are storing permanently in principal.
Function of registration:
Users can create a user account. Within the framework of this registration the users are told what the necessary information is and this is processed on the legal basis of Art. 6 Abs. 1 lit. b GDPA for the purpose of providing the user account. The processed data contains login information (names, passwords, e-mail address). The data inserted in the context of the registration is used for the purpose of the usage of the user account and its purpose.
The users can be notified about informations that are relevant for the user account, e.g. technical changes. If users have terminated their user account their data will be erased, conditional to legal record retention. It is incumbent on the user to save this data in the case of a termination before the end of the contract. We are entitled to erase irrevocably all data of the user that was saved during the contract period.
Within the framework of the usage of our registration and login functions as well as the usage of the user account, we are saving the IP address and the date of the the date of the user action. This is carried out on the basis of our legitimate interests as well as the interests of the users for security measures. The data will not be transmitted to a third party except when it is necessary for the purpose of our legitimate interests or it is a legal obligation according to Art. 6 Abs. 1 lit. c GDPA. The IP addresses will be deleted or anonymized after 7 days at the latest.
Newsletter
With the following information we inform you about the content of our newsletter as well as the procedure for registration, distribution and statistical evaluation and your right to withdrawal. By subscribing to our newsletter you accept receiving and the described procedures.
Content of the newsletter: we are distributing newsletter, e-mails and other electronic notifications with promotional information (as following: “newsletter”) only with the consent of the recipient or legal permission. Our newsletter contain information about us and our services.
Double-Opt-In and Logging: The subscription of our newsletter takes place in a Double-Opt-In procedure. You will receive an e-mail after the subcription in which you are asked for confirmation of your subscription. This is necessary in order that nobody can register with a foreign e-mail address. The subscriptions of the newsletter are recorded in order to provide evidence of the subscription process according to the legal requirements. This contains the storage of the subscription and confirmation date as well as the IP address. The changes of data saved by the delivery provider will be recorded as well.
Application data: To subscribe to the newsletter your e-mail address is sufficient. Optionally we ask you to give your name for a personal addressing in the newsletter.
The distribution of the newsletter and the connected performance measurement is carried out with consent of the recipient on the legal basis of Art. 6 Abs. 1 lit. a, Art. 7 GDPA i.V.m § 7 Abs. 2 Nr. 3 UWG or if a consent is not necessary, for the purpose of the legitimate interests pursued by the controller for direct marketing according to Art. 6 Abs. 1 lt. f. GDPA i.V.m. § 7 Abs. 3 UWG.
The logging of the registration procedure is carried out or the purpose of the legitimate interests pursued by the controller on the legal basis of Art. 6 Abs. 1 lit. f GDPA. Our interest aims at the usage of a user friendly and safe newsletter system that serves our commercial interests as well as it corresponds to the expectations of the user and allows us the demonstration of consent.
Cancellation/Withdrawl – You can cancel and withdraw your consent to the subscription of our newsletter at any time. A link for cancellation can be find at the end of each newsletter. We can save the registered e-mail addresses up to three years on the basis of our legitimate interests before erasing them in order to provide proof of the formerly given consent. The processing of this data is rescricted to the purpose of a possible defense of claims. A individual request for erasure is possible at any time, providing that the confirmation of a formerly given consent is given.
Hosting and e-mail distribution:
The used hosting services serve for the provision of the following services: Infrastructure- and platform services, calculating capacity, storage space and data bank services, e-mail distribution, security services as well as technical maintenance services that we use for operating the Online presence.
We, respectively the hosting provider, are contact- and identification data, content data, contract data, meta- and communication data of customers, interested persons and visitors of our Online presences on the legal basis of our interests concerning the efficient and safe provision of the Online presence according to Art. 6 Abs. 1 lit. f GDPA i.V.m. Art. 28 GDPA.