The protection of your personal data is important to us. Therefore we would like to inform you as simply and as accurately as possible of contact details and the data subjects’ data.
In the following, we provide you the contact details of our data protection officer as well as information on how to contact us in encrypted form. Then we will define the legal and technical terms used in the following text. Afterwards you will get an overview of the data subject’s rights. Following this, you will find information on the controller. Last we will detail the technologies and services used as well as our handling.
1 Contacting the data protection officer
Should you have any questions or wish to obtain information, please do not hesitate to contact our external data protection officer at any time. The contact details are:
Oliver Offenburger, M.Sc.
Telefon: 07721 69724 00
Fax: 07721 69724 01
Our preferred form of contact is via e-mail. However, you can also contact our data protection officer by post or by telephone. If you wish to encrypt your e-mail to our data protection officer, we advise you to read the following section.
Notes on enquiries:
Should you send an enquiry via e-mail within the usual business hours, we will confirm receipt of the message still on the same day. If you do not receive any confirmation, please contact us by telephone.
Should you send an enquiry by post, we will send you the confirmation of receipt still on the day we receive it, at the latest, however, one day after receipt. If you do not receive any confirmation, please contact us by telephone. For any enquiries by telephone, we ask you to use the telephone number of our data protection partner eye-i4 GmbH directly.
1.1 Encryption of e-mails to our data protection officer
We support an encrypted transmission via e-mail. Therefore we provide you with the possibility to encrypt your enquiries to the data protection officer in order to maintain confidentiality and integrity.
We use PGP for the encryption. Information on the free use and setup can be found on our data protection partner’s website; please see the following link:
You can download our PGP key using the following link:
If you wish to verify the fingerprint, please contact our data protection partner eye-i4 GmbH by telephone.
Should you have any further questions regarding the encryption, please do not hesitate to contact our data protection officer.
2 Terms in the legal context
Before going into details on legal issues we would first like to define the associated terms:
2.1 EU-GDPR (also called GDPR)
The term “EU-GDPR” (in the following referred to as “GDPR”) refers to the General Data Protection Regulation. This is a general regulation of the European Union which stipulates how personal data may be processed. For information, the legislative text of the GDPR can be viewed using the following link:
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
2.3 Personal data and data subject
“Personal data” means any information relating to an identified or identifiable natural person hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.5 Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
2.8 Third party
“Third party” means a natural or legal person, public authority, agency or other body than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2.10 Personal data breach
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2.11 Data concerning health
“Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Enterprise” means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
2.13 Supervisory authority
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 GDPR.
2.14 Relevant and reasoned objection
“Relevant and reasoned objection” means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.
3 Terms in the technical context
Before going into details on technical issues we would first like to define the associated terms:
3.1 File management
“File management system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Cookies are text files a website stores on your end device by means of your browser. These text files may be intended to realise technical matters like shopping cart mechanisms or to identify your visitor behaviour. For this purpose, the text files can be provided with identification features and additional information.
You have the possibility to inhibit the browser of your end device from saving any cookies. If cookies are deactivated, there may be technical restrictions when using a website.
3.3 Server logs
Server logs are log files which are created by the web server and document the access to a website. A log entry may contain a large amount of information, such as access time, browser type, the visitor’s IP address, etc.
The referrer designates the URL that linked to the controller’s page. Server logs serve to read out the referrer, for instance.
4 Rights of the data subject
The data subject’s rights arise from the GDPR as well as the relevant national legal provisions on data privacy. If you want to assert your rights, please contact our data protection officer using the contact details specified at the beginning. In the following we would like to inform you of your rights arising from the GDPR, particularly from chapter III:
4.1 Right to information
The data subject shall have a right to obtain information on the personal data stored, if the data were collected from the data subject or if the data were not obtained from the data subject. This is regulated by Chapter III Article 13 and 14 GDPR.
4.2 Right of access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and further information pursuant to Art. 15 GDPR.
4.3 Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
4.4 Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds pursuant to Art. 17 GDPR applies.
4.5 Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the prerequisites pursuant to Art. 18 GDPR applies.
4.6 Notification obligation
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject requests it.
4.7 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
4.8 Right of objection
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
4.9 Right to lodge a complaint with a supervisory authority
Pursuant to Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority. For this purpose you can approach the supervisory authority of your habitual residence, place of work or the controller’s place of business.
Our competent supervisory authority is:
Landesbeauftragte für den Datenschutz und die Informationsfreiheit, Stuttgart
5 Information on the controller
The controller pursuant to Art. 24 GDPR is:
Further information on the controller is provided under Legal details.
6 Web technologies used
6.1 Encryption of the data transmission
We use the SSL (Secure Socket Layer) method to encrypt the transmission and request of data to our website. For this purpose we use a 128-bit key with SHA256 hash.
Besides we employ suitable technical and organisational safety measures to protect your data against any accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our safety measures are continuously improved in accordance with the technological evolution.
6.2 Server logs
If you use our website merely to obtain information, i.e. if you do not register or transfer information to us in any other way, we only collect personal data your browser transmits to our server. If you want to visit our website, we collect the following data, which is technically required for us in order to show you our website and to guarantee stability and security (legal basis is point (f) of Article 6(1) GDPR):
- Anonymised IP address
- Date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Contents of request (precise page)
- Access status / HTTP status code
- Amount of data transferred in each case
- Website from which the request is sent (referrer)
- Operating system and its interface
- Language and version of the browser software.
Cookies are stored on your computer when using our website. You can configure your browser settings according to your wishes and reject the acceptance of third-party cookies, for instance, or all cookies. We would like to point out that you might not be able to use all the functions of this website.
This website uses the following types of cookies; their extent and way of functioning are explained in the following:
- Transient cookies
- Persistent cookies
6.3.1 Transient cookies
Transient cookies are automatically deleted when you close the browser. These include particularly the session cookies. They store a so-called session ID by which different requests from your browser can be matched with the joint session. In this way your computer can be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.
6.3.2 Persistent cookies
Persistent cookies are automatically deleted after a specified period which may vary depending on the cookie. You can delete the cookies at any time in the security settings of your browser.
We have included YouTube videos in our online offerings; the videos are stored at https://www.youtube.com and can be played directly from our website.
When visiting our website, YouTube obtains information to the effect that you have called up the corresponding subpage on our website. Additionally, the data mentioned in § 3 of this declaration will be transmitted. This happens regardless of whether YouTube provides a user account via which you are logged in or whether there is no user account. If you are logged in with Google, your data is directly assigned to your account. If you do not want YouTube to assign this information to your profile, you must log out before activating the button. YouTube saves your data as a usage profile and uses them for the purpose of advertising, market research and/or need-based design of their website. Such an evaluation is done in particular (even for users who are not logged in) to need- provide based advertising and to inform other users of the social network about their activities on our website. You have a right to object to the creation of these user profiles; you have to address yourself to YouTube in order to assert this right.
https://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has submitted to the EU US Privacy Shield,
8 Transfer to third parties
Your personal data will not be transferred to third parties other than for the following purposes.
We only transfer your data to third parties if:
- you have given your explicit consent pursuant to point (a) of Article 6(1) GDPR,
- transfer is necessary according to point (f) of Article 6(1) GDPR for the establishment, exercise or defence of legal claims provided there is not any reason to believe that you have compelling legitimate grounds not to transfer your data which override these interests,
- in case that transfer is necessary for compliance with a legal obligation according to point (c) of Article 6(1) GDPR and
- it is permitted by law and necessary for the performance of a contract with you according to point (b) of Article 6(1) GDPR.