Imprint

The controller within the meaning of the General Data Protection Regulation (GDPR) is

Initiative Offene Gesellschaft e.V.
Kärntener Str. 20
10827 Berlin
freunde@offenegesellschaft.org

You can also address questions about data protection directly to our data protection officer: Attorney David Heimburger, dh@davidheimburger.de, 040 / 22863648

We endeavor to use gender-neutral language. In some cases, we only use the masculine form of terms such as users instead of users, users:inside or users for simplified reading guidance. If we only use the masculine form, the term is nevertheless intended to include all genders.

Here we summarize the general rights to which you are entitled under the GDPR with regard to your personal data processed by us. For an explanation of the legal terms, please refer to the applicable definitions in the GDPR (see Article 4). If anything remains unclear, please do not hesitate to ask us.

• You can revoke your consent to the processing or disclosure of your data at any time for the future (Article 7 (3) GDPR).

• If the legal basis for processing your data is a legitimate interest in accordance with Article 6(1)(f) GDPR, you may object to the data processing in accordance with Article 21 GDPR. If the data processing in question is direct marketing, you do not have to justify your objection in any way; in all other cases, you must provide reasons for your objection that arise from your particular situation.

• If we have stored incorrect information about you, you can request that we correct your data (Article 16 GDPR).

• You can request information from us about which of your data we process (Article 15 GDPR, Section 34 BDSG).

• You can request that we erase your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (Article 17 or 18 GDPR, Section 35 BDSG).

• You can request that we provide you with the data that you have provided to us yourself in a machine-readable format for forwarding to third parties (Article 20 GDPR).

You may complain to a data protection supervisory authority, e.g. the Berlin Data Protection Commissioner, about data protection issues with us.

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis results primarily from the purpose for which the data is processed. The lawfulness within a legal basis is regularly determined by the specific scope of the data processing and the measures we have taken to protect your data.

The legal basis for data processing results from Article 6 (1) GDPR and for particularly sensitive data such as health data from Article 9 (2) GDPR. These two regulations name the preparation or fulfillment of contractual, legal or social obligations as the most important legal basis for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless the interests of the data subjects prevail in the specific circumstances. If one of the aforementioned types of legal basis is relevant, the processing does not require any further consent from you.

In addition, data processing may be carried out on the basis of your consent (Article 7 GDPR) or, for persons under the age of 16, when using information society services (e.g. websites, online games, social media platforms) by children or adolescents in conjunction with the consent of a parent or guardian (Article 8 GDPR).

We would like to expressly point out at this point that none of our online offers requiring consent are aimed at persons under the age of 16.

In some cases, our obligation to ask for your consent does not arise from the GDPR, or not solely from the GDPR, but from the Telecommunications Digital Services Data Protection Act (TDDDG) or the Act against Unfair Competition (UWG). We have taken into account the obligations arising from these laws without expressly referring to them below.

If data is transferred to a country outside the European Economic Area (EEA), we ensure that data protection is guaranteed within the meaning of Articles 44 – 49 GDPR. Such a transfer outside the EEA is called a third country transfer in data protection law.

Cookies are a specific form of text entries that are stored on your device by your browser when you access a website. Different information can be stored in a cookie. Sometimes a cookie only stores a yes or no (“true” or “false”) or a country identifier such as “de” for German; sometimes a character string is stored that enables the browser to be uniquely identified when the website is called up again (a so-called cookie ID).

The right to set cookies is not based solely on the GDPR, but primarily on Section 25 TDDDG. The standard distinguishes between cookies that are absolutely necessary (essential) for the operation of the online service and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent – even if this is not required under the GDPR (e.g. if there is a legitimate interest as a legal basis or the data is not personal).

Before we store non-essential cookies on your end device, we ask for your consent in accordance with the provisions of § 25 TDDDG.

The purpose of each cookie and the legal basis for its use under the GDPR can be found in the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

The standard case with many online offers is that you decide which cookies you allow and which you do not allow via a consent manager when you access the offer. As we operate our website without cookies that require consent, we do not use a consent manager that is unnecessary for our services.

In principle, you can set your browser so that it never accepts cookies. Such a complete exclusion means that you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent.

You can call up Internet pages in the private mode of your browser. Private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.

Some browsers or browser plug-ins offer you the option of making more differentiated default settings as to which cookies you want to accept by default and which you do not.

A special case: Google offers a browser plug-in that prevents Google from setting the various cookies. You can find the corresponding plug-in here: https://tools.google.com/dlpage/gaoptout?hl=de

6.1 Visiting our website

6.1.1 Provision of our Internet pages

Description: In order for a web server to make our website available to your browser, the server must collect technical data about the device you are using, your browser and your Internet access. This is referred to as a log file or weblog. This is the same data that you are obliged to leave on every website you visit. The focus is on the IP address from which you access our pages. The web server sends the data you want to see to this Internet address.

Data categories: IP address from which our site was accessed; date and time of access; objects on our website that are accessed in the browser; type and version of Internet browser; type and version of operating system

Data recipient (third country transfer, if applicable): Our hosting service provider, which is bound to data protection by a data processing agreement. A transfer to a third country does not take place. In the event of attacks on our website, forwarding to forensic experts and investigating authorities commissioned by us. A transfer to a third country does not take place.

Purpose + legal basis: Provision of our website and investigations in the event of unlawful access to our website (e.g. a hacker attack). The legal basis is a legitimate interest, as the operation of a website is not possible without the recording of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide the investigators with evidence of how the attack took place.

Storage period: 7 days

6.1.2 Analysis of user behavior (Matomo) Description: We use the web analysis service Matomo on our website. On our behalf, Matomo uses the information collected to create statistical reports on the activities on our website, the regional origin of visitors and the technical parameters of the devices used to visit our pages.

We have set Matomo so that IP addresses are only processed in abbreviated form in order to limit direct personal identification. IP anonymization means that the end of your IP address is replaced by zeros immediately after collection.

We use Matomo without cookies. However, Matomo creates a so-called digital fingerprint of your device as a so-called hash value based on the technical parameters of your end device and your browser. The digital fingerprint enables us to trace usage paths within our websites. The hash value is given an additional value (called a salt) by Matomo and then only stored for 24 hours. This combination of hash value with salt and short storage time means that we can only recognize your device within 24 hours. If you return later than 24 hours, this is a completely unknown and therefore new visit for us.

It is also not possible for us to recognize a specific person behind the hash value if you do not inform us in parallel exactly when and how you used our website.

We do not pass on the data from Matomo to third parties. In particular, we do not merge the data with data from advertising networks or use it in any other way for marketing purposes.

In addition to the activities on our website, we also use Matomo to document which Internet links you access in our newsletters. Here, too, we do not recognize you as a specific person, but can only track which Internet links motivate our newsletter recipients to click on them and which further route they then take via our website.

You can find more information about Matomo at https://matomo.org/matomo-cloud-privacy-policy/.

Data categories: IP address via which the device goes online until it is immediately anonymized; location or country linked to the IP address and Internet service provider for Internet access; date and time of access; objects on our website that are called up (clicked on) in the browser; type and version of the Internet browser; type and version of the operating system; Internet pages that were previously and next clicked on; digital fingerprint of the end device with additional random value (salt)

Data recipient (third country transfer, if applicable): InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. InnoCraft (the operator of Matomo Cloud) is obliged to comply with data protection via an order processing contract in accordance with Article 28 GDPR. The information collected by the cookies is transferred to servers in the EEA and stored there, so that technically no third country transfer takes place. Legally, the third country transfer to InnoCraft as a New Zealand company is secured by the EU adequacy decision for New Zealand.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our website based on the analysis findings.

The legal basis is a legitimate interest, which arises from the fact that the personal reference of the collected data is greatly reduced by anonymizing the IP addresses and using the hash value with salt and short storage time and the data is not combined by us with other data collections.

Storage duration: 24 hours (after this time, it is no longer recognizable via the hash value with Salt)

6.1.3 Bot protection mechanism (Google reCAPTCHA)

Description: With regard to registrations for our newsletter, we use Google’s reCAPTCHA service to check whether you are a human or a so-called bot. reCAPTCHA makes it possible to differentiate between human and automated, abusive entries. By using the reCAPTCHA service, data about you will be transmitted to Google. Google sets the cookies _GRECAPTCHA (expiry time: 6 months), AEC (expiry time: 6 months) and __Secure-ENID (expiry time: 1 year) in the memory of your browser as well as values for the keys r::a and r::f in the local memory of your browser.

Data processing by reCAPTCHA is carried out in accordance with Google’s data protection information: https://policies.google.com/privacy

We do not receive any data from Google about your usage behavior.

Data categories: IP address from which the page is accessed; date and time of access; type and version of Internet browser; type and version of operating system; Google IDs stored in cookies and local storage keys, but also mouse movements in the area of the reCAPTCHA checkbox

Data recipient (third country transfer, if applicable): Google LLC, contactable for us as a European organization via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Insofar as Google transfers data to third countries, Google guarantees that the data will be handled at EU data protection level by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Securing our newsletter registration against attacks by bots. The legal basis for the transfer of data is a legitimate interest, as there is a high level of interest in securing our infrastructure.

Storage period: The storage period is the responsibility of Google. It is not necessary for us to delete your data, as we do not collect any data from you through the use of reCAPTCHA.

6.1.4 Online fonts (Google Fonts)

Description: We use so-called web fonts to enable an individual design of our Internet pages. Your browser loads these fonts from the Internet to display our pages if the fonts have not yet been loaded into your browser’s memory from a previous visit to a page with this font.

In principle, fonts are available directly on our own server. In this respect, it is not an independent processing that goes beyond the processing “provision of our website”. In some cases, we access fonts from external servers, in our case when using the protection mechanisms via Google’s reCAPTCHA technology, which loads fonts from Google (Google Fonts).

To download the fonts from the Google font servers (gstatic.com), your IP address must be transmitted to Google, as otherwise the data package cannot be transmitted. Google does not receive any further data from you in direct connection with the font download.

Data categories: IP address from which your device accesses the Internet, time

Data recipient (third country transfer, if applicable): Google LLC, contactable for us as a European organization via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Insofar as Google transfers data to third countries, Google guarantees that the data will be handled at EU data protection level by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Provision of Google Fonts as part of the reCAPTCHA security mechanisms. The legal basis is a legitimate interest, as only the IP address of your device is transmitted as part of the font download without any further references to your use of the Internet.

Storage period: Google is responsible for the storage period. It is not possible for us to delete your data, as we do not collect any data from you through the use of Google Fonts.

6.2 Newsletter and contact management

6.2.1 Newsletter registration

Description: You can subscribe to our e-mail newsletter. All you have to do is enter an e-mail address.

If you register online for the newsletter, you will receive an e-mail to the address you have provided in which we ask you to confirm your registration. This is to prevent you from being subscribed to our newsletter by someone who does not or should not have access to this address. This two-stage procedure is called double opt-in for double consent.

By registering for our newsletter, you consent to us sending you e-mails on the topics described on the registration page in accordance with both data protection and competition law.

You can revoke your registration and thus your consent at any time for the future. This is possible via the corresponding link at the end of every newsletter we send out.

We record the use of our newsletter via so-called tracking pixels and campaign URLs for the internet links in the newsletter. The tracking pixel calls up our newsletter server when you open the e-mail. Access to the internet links in the newsletter is recorded via the campaign allocation in our web analysis (Matomo).

The registration form on our site sets a session cookie (automatically deleted when you close the browser) with the name __cfruid.

Data categories: E-mail address, documentation of e-mail verification (double opt-in), time of your registration; usage data (opening the e-mail + clicking on Internet links)

Data recipient (third country transfer, if applicable): Our service provider for sending the newsletter, which is bound to data protection by a data processing agreement. There is no transfer to third countries.

Purpose + legal basis: Provision of an e-mail newsletter and optimization of our newsletter content. The legal basis is your consent.

Storage period: Your data will be deleted immediately after you withdraw your consent.

6.2.2 Contact database (CRM)

Description: We maintain your data in a contact database in the sense of Customer Relationship Management (CRM). We store your contact details and the history of your customer relationship with us in the CRM. We also use the CRM to manage communication with you via newsletters.

Data categories: Contact data (name, e-mail address, telephone number, address), event participation, newsletter consent

Data recipient (third country transfer, if applicable): Our service provider for the operation of the CRM, which is bound to data protection by a data processing agreement. There is no transfer to third countries.

Purpose + legal basis: Use of a CRM system that enables us to provide holistic support for our contacts, from establishing contact through event management to sending newsletters. The legal basis is a legitimate interest, as the use of CRM increases the level of service and reduces costs.

Storage period: Until you withdraw your newsletter consent or object to the storage of your data.

6.3 Webshop

(…)

6.4 Events

(…)

6.5 Our social media profiles

6.5.1 Facebook and Instagram

Description: We operate company profiles (also known as fan pages) on Facebook and Instagram. Such a fan page enables us to present our organization on Facebook or Instagram, to get in touch with you on this social media platform and to draw attention to our services and offers via advertisements on these platforms.

Meta provides us with analysis data about the use of our fan page (called Page Insights). This gives us an impression of how successful each of our communication measures is.

Meta’s data protection information applies to the details of data processing at Meta: https://www.facebook.com/about/privacy

In accordance with a ruling of the European Court of Justice, the use of this analysis data is a joint responsibility with Meta in accordance with Article 26 GDPR. Meta has accordingly provided a joint responsibility agreement (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Meta has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with regard to the data processed in Page Insights, you should contact Meta directly via your Meta account. However, in accordance with the statutory rules on joint responsibility, you are also free to contact us with your concerns. We would then pass your request on to Meta.

Data categories: Meta user name; comments, likes and page views within Facebook or Instagram and time of the action

Data recipient (third country transfer, if applicable): Meta Platforms Inc, contactable for us as a European organization via Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta guarantees that data is handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Analysis of usage behavior on our fan page or Instagram profile. The legal basis is the consent you have given as part of your meta-registration.

Storage period: Meta is responsible for the storage period.

6.5.2 LinkedIn

Description: We operate a company profile on LinkedIn. A LinkedIn profile enables us to present our organization on LinkedIn, to get in touch with you on this social media platform and to draw attention to our services and offers via advertisements on this platform.

LinkedIn provides us with analysis data about the use of our profile page. This gives us an impression of how successful each of our communication measures is.

For details on data processing at LinkedIn, please refer to LinkedIn’s data protection information: https://www.linkedin.com/legal/privacy-policy

Data categories: LinkedIn user name; comments, likes and page views within LinkedIn and time of action

Data recipient (third country transfer, if applicable): LinkedIn Corp, contactable for us as a European organization via LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Analysis of usage behavior on our LinkedIn profile. The legal basis is the consent you have given as part of your LinkedIn registration. Storage period: The storage period is the responsibility of LinkedIn.

6.6 Suppliers and service providers

6.6.1 Business relationship

Description: As a customer, we process personal data from our suppliers and service providers who are self-employed persons or partnerships, or our contact persons at such organizations, in order to be able to communicate with you about the processing of the order. In addition to content-related communication, your data is typically processed in the separately described processing operations of our “General infrastructure” (see there).

Data categories: Contact, contract and invoice data

Data recipients (third country transfer, if applicable): Tax consultants, auditors, lawyers in their capacity as holders of professional secrecy.

Purpose + legal basis: Proper management. The legal bases are contractual fulfillment as well as legal obligations and legitimate interests.

Storage period: Invoice data must be stored for 10 years in accordance with tax law; contract data must be stored for different lengths of time depending on the type of contract. In the case of copyrights, such periods extend up to 70 years beyond the death of the author.

6.6.2 Mention in publications

Description: In publications published by us, we name authors in accordance with the author’s right to be named. The naming also extends to the accompanying marketing and public relations work. If authors represent an institution relevant to the publication, their affiliation to this institution is also stated. In some publications, the authors’ professional contact details are also published as a service to readers.

Data categories: Name, academic title; partly institution and professional contact details

Data recipient (third country transfer, if applicable): none

Purpose + legal basis: Identification of authorship. The legal basis for the name is fulfillment of the author’s contract. The legal basis for the contact details is a legitimate interest, as only professional contact details of relevant contacts are published here.

Storage period: After delivery of printed publications, subsequent deletion by us is not possible.

6.7 Appointments

6.7.1 Applications

Description: If you apply for a job with us, we will process your application documents until the end of the application process exclusively for the purpose of deciding on your employment. We restrict access to your documents to those persons whom we reasonably involve in the decision to hire you.

If you are hired, your application documents will be transferred to your personnel file. If you are not hired, we will either ask for your consent to be included in our candidate pool or return or destroy your documents as soon as there is no longer any reason to expect an objection to our decision under anti-discrimination law.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); information in the letter of application, CV, certificates and references, proof of training and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests if applicable

Data recipient (third country transfer, if applicable): Microsoft as our service provider for hosting our email inboxes and file storage. Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is bound to data protection by a data processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Decision-making basis for staffing. The legal basis is the preparation of the fulfillment of a contract (employment contract) and subsequently a legitimate interest in defending against objections to negative decisions. Storage period: 6 months after completion of the original application process

6.7.2 Candidate pool

Description: If we are currently unable to offer you a suitable position, but would like to consider you again in the selection process for future vacancies, we ask for your consent to keep your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to further storage or return or delete your documents.

Data categories: Name + contact details (e-mail, telephone, address), photo, profile URL in professional networks (e.g. Xing); information in the letter of application, CV, certificates and references, proof of training and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests if applicable

Data recipient (third country transfer, if applicable): Microsoft as our service provider for hosting our email inboxes and file storage. Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is bound to data protection by a data processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Decision-making basis for future staffing. The legal basis is consent. Storage period: 2 years since last contact or last consent

6.8 General infrastructure

6.8.1 E-mail inbox, contact directory, calendar

Description: For e-mail, contact directory and calendar, we use Exchange accounts that collect these data groups in a bundle. E-mails that you send us or receive from us, your contact details and appointments with you are stored both on the servers of our hosting provider and as a local copy on the end devices that we have connected to our corresponding accounts.

Data categories: Name, contact details (e-mail, telephone, address, fax), your company, your company’s business area, your job title, your area of responsibility, place, time and circumstances of the contact and, if applicable, special information on your availability or the business topics addressed; time of sending or receiving an e-mail; content of the e-mail (texts, documents, images, other files); other typical metadata of an e-mail

Data recipient (third country transfer, if applicable): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Use of synchronized e-mail inbox, calendar and contact directory. The legal basis is legitimate interest, as participation in modern business life would not be possible in a reasonably efficient manner without such a digital infrastructure.

Storage period: We store the e-mails and entries for as long as is necessary to fulfill a purpose. Depending on the content of an e-mail, the business relationship with a contact or the background to an appointment, the purposes can be very different; the retention periods are correspondingly varied.

For example: If your e-mail is used to prepare the conclusion of a contract, the obligation under the German Commercial Code (HGB) to retain business letters for six years applies.

6.8.2 Video conference (teams)

Description: If you participate in a video conference with us to which we have (technically) invited you, we are responsible for data processing through this communication. We use Microsoft Teams for video conferences. When we invite you to a conference, we send you a team URL relating to the specific conference together with the date.

You can join a Teams video conference via the Teams app for mobile devices or desktop/laptop or via your internet browser.

Participation as a guest is possible, so you do not need your own Microsoft user account. When you dial in to the conference, you will be asked to enter a participant name for the conference, e.g. so that messages in the chat during the conference can be assigned to you personally. You can also use fantasy names here.

Teams asks for your consent to access your microphone and camera. You can grant any of these authorizations, but you do not have to if you want to follow a conference without active participation, for example.

In addition to audio and video, Teams offers you supplementary functions: an accompanying chat for the exchange in text form, word messages via icons, profile maintenance (profile picture, additional contact data), artificial background image. Conferences can be recorded. If a conference is to be recorded, we inform all participants in advance and only start the recording once all participants have given their consent to the recording. Audio recordings can be transcribed into a text file for us by Microsoft.

Unless an expressly agreed recording takes place, the conference will not be stored by us in any way. Once the conference has ended, the content of an unrecorded conference can no longer be accessed. In this respect, this corresponds to telephone conversations that were not recorded.

It is technically possible for every participant to make screenshots or a recording of the conference in whole or in part using means outside of Teams. Such behavior without appropriate consultation with all participants constitutes a breach of data protection by the acting person and, if it is not one of our employees, is beyond our responsibility. Secret recordings of the spoken word can constitute a criminal offense under § 201 StGB. We reserve the right to take legal action of any kind against persons who use their participation in a video conference to behave in a manner contrary to data protection regulations.

As far as data processing is concerned that is not directly related to the specific conference, the responsibility does not lie with us but directly with Microsoft. This applies, for example, to downloading the Teams app. By downloading the Teams app to your end device, you establish an independent legal relationship between yourself and Microsoft. In some cases, responsibility also lies with you or the organization that provides you with your personal Teams user account.

The data transfer between your end device and the Teams server requires that Microsoft is aware of the IP address via which you are online during the video conference. The servers also collect all types of data that are regularly generated when telemedia services are used.

You can find information on data protection at Microsoft here: https://privacy.microsoft.com/de-de/privacystatement

Data categories: User name, participation times, video or audio signal, video or audio recording (only with consent), audio transcript (only after recording), actions in the chat, status of the request to speak, profile data (profile picture, contact data, background image), telephone number (when participating by telephone); other data categories such as IP address or e-mail address are processed by Microsoft under its own responsibility.

Data recipient (third country transfer, if applicable): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: Use of a video conference. Depending on the content of the conversation, the legal basis is the preparation or fulfillment of a contract or a legitimate interest in exchanging information with you. Consent is the legal basis for recordings.

Storage period: If no recording takes place, all data will be deleted at the end of the conference. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved.

6.8.3 IT administration

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. However, when maintaining databases and other system units, personal data may be accessed by the service providers. All our service providers are expressly bound to confidentiality by corresponding contracts and in accordance with the sensitivity of the data to which they may have access.

Data categories: Any type of data

Data recipients (third country transfer, if applicable): IT service providers who are bound to data protection via an order processing contract or another form of confidentiality obligation. There is no transfer to third countries.

Purpose + legal basis: Utilization of competent service providers for professional IT administration. The legal basis is a legitimate interest, as the service providers are bound to data protection by adequate confidentiality obligations.

Storage period: No independent storage takes place.

6.8.4 File storage

Description: In addition to data collection in individual databases (described above), we store documents on our storage media. This typically includes Office documents (Word, Excel, PowerPoint), PDF files, images, films, layouts, other formats of text, spreadsheets and presentation files and ultimately any type of file whose use is appropriate in the context of our business processes.

Data protection issues relating to the content of the files depend on the relevant processing purposes. At the same time, the storage of the files and the metadata regularly attached to them (primarily the creator signature) results in independent processing. Office documents contain personal metadata in particular if they are worked on together (collaboration) and the comment and note functions as well as the change mode are used for this purpose.

We use Microsoft 365 as a cloud solution for file storage (in Teams, Sharepoint and OneDrive). Comprehensive information on the use of the data collected by Microsoft can be found in Microsoft’s data protection information (https://privacy.microsoft.com/de-de/privacystatement).

Data categories: Any type of data, but here focus on metadata: signature of the file creator, signatures of file editors (also in comments + notes); time of creation, editing or storage

Data recipient (third country transfer, if applicable): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing agreement. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp. or other Microsoft companies, Microsoft guarantees that the data will be handled in accordance with EU data protection standards by concluding standard data protection clauses. In addition, the company has certified itself according to the standards of the US-EU Privacy Shield, so that the data transfers are covered by the EU Commission’s adequacy decision on data transfers to the USA from July 2023.

Purpose + legal basis: File storage in a high-performance data center and use of modern search functionalities. The legal basis is a legitimate interest, as the processing is carried out as part of order processing. Storage duration: Dependent on the storage time for the individual file

6.8.5 Prosecution

Description: In the event that we become involved in a legal dispute with you, we will pass on your personal data and the circumstances of the dispute to lawyers and, if necessary, to authorities or courts.

Data categories: Name, contact details, details of the subject matter of the dispute

Data recipients (third country transfer, if applicable): Lawyers, authorities, courts, bailiffs. All recipients are obliged to maintain confidentiality as a state institution or as a professional secrecy holder. There is no transfer to third countries.

Purpose + legal basis: Prosecution. The legal basis is the legitimate interest in seeking legal advice from lawyers and, if necessary, authorities or courts.

Storage period: The named recipients process your data according to their own specifications to the extent necessary to fulfill the respective task. We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If a similar dispute with you or other persons could conceivably be repeated, we will at least store the documents relevant to the proceedings – in anonymized form if necessary – for a correspondingly longer period.

6.8.6 Data protection management

Description: If you assert your data protection rights against us, we document the associated communication and processes in our data protection management application.

Data categories: Name, contact details, details of the data protection request

Data recipient (third country transfer if applicable): Our data protection officer, who is legally bound to confidentiality, is based in the EEA. Our service provider for the cloud application for data protection management, which is bound to data protection by a data processing agreement, is based in the EEA. A third country transfer does not take place in this way.

Purpose + legal basis: Data protection management. The legal basis is the statutory accountability obligation under the GDPR.

Storage period: We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If a similar dispute with you or other persons could conceivably be repeated, we will at least store the documents relevant to the proceedings – in anonymized form if necessary – for a correspondingly longer period.

Last update: July 2025