Data Privacy Notice
The protection of your data is of particular concern to us. With this privacy policy, we want to inform you about the processing of your personal data and how we comply with the requirements of the EU General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act ("BDSG") and the German Telecommunications Digital Services Data Protection Act ("TDDDG") on our website and in the event that you wish to contact us after visiting our website.
"Personal data" within the meaning of this Privacy Notice is all information that can be used to establish a connection to a person. For example, on the basis of certain characteristics that allow conclusions to be drawn about the identity (e.g. the assignment of an IP address to a specific person by querying the connection with an Internet service provider). We use the term "personal data" in this Privacy Notice as it is defined in Art. 4 No. 1 GDPR.
1. Data Controller and Contact Details
1. Data Controller and Contact Details
User Rights GmbH
Friedrichstraße 123
10117 Berlin
Germany
Friedrichstraße 123
10117 Berlin
Germany
Our Data Protection Officer,
can be reached via post under the above address or via email under DPO@clandestine.de
3. What kind of personal data do we process if you view our website and where do we obtain them from?
3. What kind of personal data do we process if you view our website and where do we obtain them from?
In order for websites to work, some data must necessarily be transmitted to us, such as your IP address. Without this, the provision of websites would not work.
In detail:
When you visit our website, the following data is collected for technical reasons in order to enable its functionality. Some of this data is personal data. These are then stored for a short time in a server log file:
- IP address of the request;
- Name of the retrieved file;
- Name/type of your web browser;
- The operating system you are using;
- if applicable, a referrer URL (this is the URL of the website from which you reached our website when you clicked on a link); and
- Timestamp of the retrieval.
4. What kind of personal data do we process if we handle your case and where do we obtain them from?
In order for us to properly process a case that you submit through us, we need to collect a range of personal data relating to you and your case.
In detail:
In order to be able to process a case submitted to us, we need a range of information to determine the persons involved and the facts of the case. We must then contact the platform involved to obtain further details of the case. The following categories of personal data are processed by us (in addition to those mentioned in section 3)
- your name;
- your email address and, if applicable, other contact details;
- the date, time and time zone of the post in question;
- content data of the post itself and a link to the post;
- the platform's case ID, if one has been assigned to you or the facts of the case;
- your assessment of the category of the offence;
- evidence or other proof provided by you.
It is possible that we may require further information from you or receive it from the platform involved in the course of processing a case that is not requested via our form. In this respect, it is not possible for us to specify these categories in advance.
5. For what purposes do we process your personal data?
5. For what purposes do we process your personal data?
For all data processing that allows our website to work properly in the first place, we can process the necessary data without asking for your consent. The data necessary in order to handle your case are processed because you have instructed us to do so. As far as information are not necessary, we process them based on your consent.
In detail:
According to the applicable data protection laws, we may only process personal data if there is a legal basis for doing so. In the following, we describe the purposes for which we process the data mentioned in section 3 and 4:
a. Data processing based on your consent (Art. 6 (1) (a), Art. 7 GDPR)
If we request further information in the course of processing your case, we will indicate whether this is mandatory information or whether it is optional data (e.g. further contact options). In the event that you provide us with optional data, you consent to its processing by us.
If we request further information in the course of processing your case, we will indicate whether this is mandatory information or whether it is optional data (e.g. further contact options). In the event that you provide us with optional data, you consent to its processing by us.
b. Data processing for the performance of a contract (Art. 6 (1) (b) GDPR) and for the enforcement of and defense against legal claims (Art. 9 (2) (f) GDPR)
If you instruct us to handle a case against a platform for you, you are commissioning us by submitting the form. This is a contract under civil law, so we process the data required in this context to fulfil this contract.
If you instruct us to handle a case against a platform for you, you are commissioning us by submitting the form. This is a contract under civil law, so we process the data required in this context to fulfil this contract.
If there are special categories of personal data among the data transmitted to us, the processing is necessary to enforce your rights or the defence of your legal claims, e.g. against the platform involved.
c. Data processing due to legal obligation (Art. 6 (1) (c) GDPR)
In order to settle our accounts with the platform operators involved, we must submit an invoice for the cases we have processed. This data also contains information that can be used to identify the individual cases. For commercial and tax law reasons, we are obliged to process this data to the extent specified.
In order to settle our accounts with the platform operators involved, we must submit an invoice for the cases we have processed. This data also contains information that can be used to identify the individual cases. For commercial and tax law reasons, we are obliged to process this data to the extent specified.
d. Data processing based on legitimate interests (Art. 6 (1) (f) GDPR)
The provision of our website is a free service that we provide to every visitor.
The provision of our website is a free service that we provide to every visitor.
This processing is necessary to safeguard our legitimate interests, as we have an interest in presenting our services to an interested audience. The fundamental rights and freedoms of website visitors as data subjects do not prevail here, as the personal data processed are those that are inevitably collected for technical reasons when any website is accessed. It would only be necessary to draw conclusions about specific persons with additional knowledge that is not readily available (e.g. to draw conclusions about a possible user from a specific IP address via an Internet service provider).
We also use our web hoster as a service provider. As this is a data processor (see section 6 for more details), no separate legal basis is required for this.
6. To whom will your personal data be forwarded?
6. To whom will your personal data be forwarded?
Our website is stored on a server of a professional web hosting provider. As a result, data is also transmitted to these service providers each time the website is accessed and delivered by these service providers. The same applies if you submit a case via our website. For this, we also work together with the provider of a tool that processes the personal data on our behalf. We also use third-party providers for emails and web analytics.
In detail:
a. Web hosting provider
We do not host our website on our own server, but use a web hosting service provider. This is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg. This is a data processor with whom we have entered into a data processing agreement in accordance with Art. 28 GDPR. Parts of the data processing take place in the USA. The USA is a third country within the meaning of the GDPR, as it is located outside the European Union and the European Economic Area. The provider Amazon Web Services is certified under the EU-U.S. Data Privacy Framework, so there are suitable guarantees for data transfer to this provider in the USA. The data privacy notice for Amazon Web Services can be accessed under this link.
We do not host our website on our own server, but use a web hosting service provider. This is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg. This is a data processor with whom we have entered into a data processing agreement in accordance with Art. 28 GDPR. Parts of the data processing take place in the USA. The USA is a third country within the meaning of the GDPR, as it is located outside the European Union and the European Economic Area. The provider Amazon Web Services is certified under the EU-U.S. Data Privacy Framework, so there are suitable guarantees for data transfer to this provider in the USA. The data privacy notice for Amazon Web Services can be accessed under this link.
b. Logos (Case handling)
The handling of cases submitted via our website is processed technically via the Logos platform. This is embedded in our website. The tool is operated by Knowledge Tools International GmbH, Friedrichstraße 123, 10117 Berlin. This is also a data processor with whom we have entered into a data processing agreement. The privacy notice for Knowledge Tools International GmbH can be accessed under this https://knowledgetools.de/Datenschutzerklaerung.html. The Logos platform uses artificial intelligence. More information on this can also be found in the linked privacy policy.
The handling of cases submitted via our website is processed technically via the Logos platform. This is embedded in our website. The tool is operated by Knowledge Tools International GmbH, Friedrichstraße 123, 10117 Berlin. This is also a data processor with whom we have entered into a data processing agreement. The privacy notice for Knowledge Tools International GmbH can be accessed under this https://knowledgetools.de/Datenschutzerklaerung.html. The Logos platform uses artificial intelligence. More information on this can also be found in the linked privacy policy.
c. Platform Providers
We must forward the information you share about the case to the respective platform involved (e.g. social media platform) because we must also request further information from them. The platforms are independent controllers who must ensure the protection of your personal data as part of the case handling process.
We must forward the information you share about the case to the respective platform involved (e.g. social media platform) because we must also request further information from them. The platforms are independent controllers who must ensure the protection of your personal data as part of the case handling process.
d. E-mail correspondence and web analytics
For our email correspondence, we use the service Google Workspace of Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
For our email correspondence, we use the service Google Workspace of Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
For web analytics, we use the service Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses so-called cookies (more on this under “7. Cookies”).
Both service providers are data processors. We have entered into a data processing agreement with Google in accordance with Art. 28 GDPR and configured the most data protection-friendly settings possible, so that, for example, personal data is stored within the European Union wherever possible. Nevertheless, parts of the data processing may take place in the USA. The USA is a third country within the meaning of the GDPR, as it is located outside the European Union and the European Economic Area. Google and its affiliated companies are certified under the EU-U.S. Data Privacy Framework, so that appropriate safeguards are in place for data transfer to the USA. The data privacy notice of Google can be accessed under this link.
7. Cookies
7. Cookies
Cookies are files that are stored in the browser environment on your terminal device (e.g. PC, Mac, Android smartphone, iOS smartphone) and in which information about you and the use of the website is stored.
We only use so-called essential cookies, i.e. those without which the website (and the services that can be accessed via it) would not function properly. This is a session cookie that temporarily stores the entries in the form for processing a case until the case has been successfully submitted.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. With regard to Google Analytics, you can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available at the URL https://tools.google.com/dlpage/gaoptout?hl=de.
8. How long will we retain your personal data?
8. How long will we retain your personal data?
How long your data is retained depends on the legal basis of the data processing.
In detail:
We generally retain data that we process on the basis of your consent for as long as the consent exists. After this, we may retain the documentation of consent for a further period of up to three years in order to be able to defend ourselves against possible claims; during this time, however, consent will of course not be used. However, this does not apply without exception. If we do not make use of the data that we have obtained on the basis of consent for a longer period of time or discontinue the underlying service, we will delete the data without you having to revoke your consent.
Data that is retained on a contractual basis will be retained for three years from the end of the year in which the contract was fulfilled or completed due to the exchange of services.
Data that is necessarily collected when visiting the website is deleted 7 days after the log file is created.
We delete data that is retained to fulfill legal obligations as soon as the legal retention periods have expired. According to the German Commercial Code (HGB) and the German Tax Code (AO), this is six to ten years for business and commercial letters.
Data that we process on the basis of our legitimate interest is generally processed for as long as the legitimate interest exists. This depends on the specific individual case. If you would like more information on this, you are welcome to contact us. As it is unreasonable to check every day for each stored date whether the purpose for storage still exists, we may check this at regular intervals. Therefore, data may be retained for a limited period of time (deletion period), even if the legitimate interest has already ceased to exist. The data will not be processed for other purposes within the deletion period.
The personal data collected by Google Analytics is stored for a period of 14 months and then automatically deleted.
9. Your rights as a data subject and your withdrawal of consent
9. Your rights as a data subject and your withdrawal of consent
As a data subject, you have various rights, which we explain in detail in this section. In particular, you can withdraw your consent at any time with effect for the future (i.e. all past data processing based on consent remains lawful) and you can simply object to data processing that we only carry out on the basis of our legitimate interest (e.g. marketing measures that are permitted without consent in exceptional cases). Please note that in this section we describe all the rights to which you may be entitled as a data subject. This does not definitively determine whether you are actually entitled to a right.
In detail:
According to the GDPR, you are entitled to the following rights as soon as the conditions for exercising the respective right are met in detail:
- you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, the details of the data processing (Art. 15 GDPR: Right of access by the data subject);
- you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Art. 16 GDPR: right to rectification);
- you have the right to obtain from us the erasure of personal data concerning you without undue delay (Art. 17 GDPR: right to erasure/to be forgotten)
- you have the right to obtain from us restriction of processing of personal data concerning you (Art. 18 GDPR: right to restriction of processing)
- in the case of processing based on consent or for the performance of a contract, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us or to have the data transmitted directly to another controller, where technically feasible (Art. 20 GDPR: Right to data portability);
- You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable law (Art. 77 GDPR in conjunction with Section 19 BDSG: Right to lodge a complaint with a supervisory authority).
You also have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) in the exercise of official authority vested in us, or (iii) which we process on the basis of our legitimate interest (Art. 21 GDPR: right to object). In this case, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If personal data is processed for the purpose of direct marketing (marketing and business development), you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. In this case, the personal data will no longer be processed for direct marketing purposes.
If you have given us your consent, you can withdraw this consent at any time. All data processing that we have carried out up to your revocation remains lawful.
You can assert the above-mentioned rights against us using the contact details provided in section 1.
10. Am I obliged to provide my personal data?
10. Am I obliged to provide my personal data?
In principle, you are not obliged to provide us with your personal data. However, without the personal data, we will not be able to provide certain services or contact you.
If you browse our website, however, you cannot avoid providing the data mentioned under point 3. a), as the operation of the website would otherwise not be technically possible. If you take technical precautions to prevent the transmission of this data, you may not be able to access the website. However, you are free to disguise this data (e.g. by using a VPN service or masking) so that we cannot draw any conclusions from this technically necessary data (e.g. by using your real IP address to determine your approximate location).
In addition, we cannot handle a case that you wish to process through us without the data required to identify you and the case.
11. Automated decision-making and profiling
11. Automated decision-making and profiling
We do not use automated decision-making or profiling.
12. Data Security
12. Data Security
We have implemented technical and organizational measures to ensure a high standard of data security, data availability and data integrity. All employees are subject to contractual confidentiality obligations and have been informed and instructed accordingly about the confidential handling of personal data.
13. Special provisions for our LinkedIn page
13. Special provisions for our LinkedIn page
The following applies with regard to our LinkedIn page (available at https://www.linkedin.com/company/user-rights/about/
If you access the website https://www.linkedin.com or the LinkedIn service via mobile apps, the data controller for data processing is
LinkedIn Ireland Unlimited Company
Wilton Place
Dublin 2
IRELAND
Wilton Place
Dublin 2
IRELAND
("LinkedIn")
If you transmit personal data to us via the linkedin.com website (e.g. via the message function) and we alone decide on the purposes and means of data processing, we are the sole data controller under data protection law.
You can find LinkedIn's Privacy Notice here.
Insofar as LinkedIn processes personal data in connection with the LinkedIn page and we contribute to the decision on the purposes and means of processing, LinkedIn and we are joint controllers of the data processing in this respect.
The joint controllership exists in particular for the Page Insights function. LinkedIn provides this function for operators of LinkedIn pages. This provides us with aggregated user statistics and enables us to recognize, for example, which target groups view our LinkedIn account and interact with posts and which of the posts receive a particularly large response. These statistics are compiled using information from our page visitors.
The legal basis for this processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in evaluating the activities on our account and tailoring our offers to the needs of our users. We want to improve our services in this way. As the user data is aggregated and anonymized, we do not believe that the data processing poses any significant risk to the rights and freedoms of the data subjects.
We have entered into a joint controllership agreement with LinkedIn in accordance with Art. 26 GDPR. This agreement sets out our respective responsibilities and obligations in relation to data subjects and their rights. You can find the agreement here.
We summarize the joint controllership agreement as follows: Views of LinkedIn pages, i.e. also of our page, are recorded statistically. This enables us to filter the page views according to various criteria (e.g. age, professional seniority, region) and to gain insights into our user structure. LinkedIn does not transmit any clear user data to us, i.e. apart from the presentation of the statistics, we have no insight into the underlying data. With regard to the Page Insights function, LinkedIn assumes the data protection obligations under Art. 12-22 and 32-34 GDPR.
In addition, as mentioned above, we process personal data from you as a LinkedIn user that you provide to us via LinkedIn. These are, for example, messages via the Messenger service. Insofar as these are aimed at the conclusion of a contract, Art. 6 para. 1 lit. b GDPR serves as the legal basis for the processing, otherwise we process this personal data out of our legitimate interest in continuing to contact you.
August 2024