Carl Duisberg Portal

Data Protection Policy – Websites and Online Portals operated by Carl Duisberg Centren

subject to notification of direct marketing according to Section 7 No. 3 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)

Version: 12 March 2021

§ 1 – General information and contact person

(1) In the following, we, the Carl Duisberg Centren, will inform you about the personal data that we collect and process in connection with the use of our websites and online portals. “Personal data” means any information that can be related to you personally, e.g. names, addresses, and IP addresses.

(2) The controller in accordance with Article 4 No. 7 General Data Protection Regulation (hereinafter referred to as “GDPR”) is:
Carl Duisberg Centren gemeinnützige GmbH
Hansaring 49–51
50670 Cologne
Germany
info@cdc.de

(3) The data protection officer is:
Franz-Henning Ritschel, Assessor iuris
Carl Duisberg Centren gemeinnützige GmbH
Hansaring 49–51
50670 Cologne
Germany
datenschutz@cdc.de

§ 2 – Your rights

(1) Regarding your personal data that we control, you have the following rights according to the standards laid out in the GDPR:
a) Right to information
b) Right to rectification or deletion
c) Right to restriction of processing
d) Right to withdraw consent at any time; however, such a withdrawal of consent does not affect the permissibility of processing for the time period before which notification of the data subject’s withdrawal of consent was received.
e) Right to object to processing as long as our processing of your data is in conflict with the balancing of interests (in cases where the legal basis for the processing is based on Article 6 No. 1 f) GDPR) or when the processing is related to direct marketing. In the second case of direct marketing, we will cease the processing immediately. In the first case where legitimate purposes of the controller are in conflict with the interests or fundamental rights of the data subject, we will first limit the processing and notify you immediately of our decision whether we deem the processing to be in conflict with your interests or fundamental rights – which will lead to termination of the processing – or not.
f) Right to data portability

(2) To exercise your rights, you can contact us at any time by using the contact details provided above in §1 of this Policy or a contact form on our websites.

(3) In addition, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The data protection supervisory authority responsible for oversight of CDC is:
Landesbeauftragte für den Datenschutz und
Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf
Germany

§ 3 – Visiting our websites, log data

(1) When using our website for informational purposes only, i.e. if you simply view our website and do not register or actively transfer any other data to us, we process the personal data that your browser transfers to our server (so-called log data). This processing is necessary to display our website for you and to be able maintain stability and security. The data processed are the following:
a) IP address
b) Date and time of access
c) Website from which the request originated (referring page)
d) Content accessed (particular page/subpage accessed)
e) Access status/HTTP status code
f) Specific amount of data transferred
g) Browser software, its language and version
h) Device used, its operating system and user interface
We delete these data within four weeks at the latest.

(2) The legal basis for this data processing is the balancing of interests provided for in Article 6 No. 1 f) GDPR. Our legitimate interest is hosting our own website for publicity purposes.

(3) Providing these personal data is not legally or contractually required nor is it necessary to provide these data in order conclude a contract. You are not obliged to provide these data; however, without an IP address, we cannot display our website for you and without the other log data it would not be possible to guarantee a secure connection to our website and many functionalities of our website would be inactive.

§ 4 – Email verification in web forms

In order to maintain the confidentiality of our email communication, we conduct an email verification using a double opt-in procedure as a part of our web forms for applications, bookings, registrations, contact requests, and other similar functions. For the email verification procedure, the only data processed is your email address, which will only be stored by us for a maximum of 14 days. The legal basis for this data processing is a balancing of interests in accordance with Article 6 No. 1 f) GDPR. Our legitimate interest is to ensure that confidentiality is maintains in email communications with our customers by verifying that the email addresses are correct and that the communication is conducted with the authorized user of the email address. You are not required to provide your email address; however, should you elect to not provide an email address the online process (e.g., booking, registration, inquiry) cannot be completed.

§ 5 – Website analytics

(1) On our websites, we employ the Software “Matomo” (previously Piwik) to analyze use data. Matomo is an open-source software package that is run locally on our servers, which means that no data is transferred to contract processors or third parties. We use Matomo in order to statistically evaluate the use of our website. We use these statistics for our online marketing campaigns, to improve our online offerings, and to improve our internet presence. We use Matomo without cookies. Moreover, Matomo does not employ any sort of technologies that collect data about your user behavior outside of our websites, it does not link user data with other sources, nor does it create a user profile. This software package only makes use of website data needed for web servers as well as certain information that the web browser transfers to the webserver in order to access websites (log data, see above). Therefore, consenting to this data processing for our website is not necessary. Matomo accesses the most recent log data once a day. When collected the IP addresses are shortened to omit the last two bytes, thus anonymizing them (e.g., 129.221.x.x). By combining these anonymized IP addresses with other log data, Matomo generates a user ID, a pseudonym with which you are associated and that can be used to track your user behavior on our website. With Matomo, however, this tracking has a limited level of detail (restricted to clicks, subpages accessed, time of access, and time spent on a particular page), and the association of your use data with your pseudonym is only active for a time period of 30 minutes. In addition, Matomo can recognize if you have found our site by clicking one of our online ads by logging URL suffixes that are associated with our marketing campaigns (e.g., sponsored links in google searches, Facebook ads paid for by CDC, etc.). The use data that Matomo collects can be used to generate anonymized statistics that cannot be associated to particular persons. Such data can be used to determine which of our campaigns attracted the most users to our site and how many of those ended up booking our services as well as what specific content on our site was most viewed and received the most clicks. Your personal data stored and processed in Matomo will be deleted after 6 months.

(2) On our website, we employ services provided by etracker GmbH based in Hamburg, Germany (hereinafter referred to as “etracker”) to analyze the use data. We use etracker in order to statistically evaluate the use of our website. We use these statistics for our online marketing campaigns, to improve our online offerings, and to improve our internet presence. We use etracker without cookies. Moreover, etracker does not employ any sort of technologies that collect data about your user behavior outside of our websites, it does not link user data with other sources, nor does it create a user profile. This software package only makes use of website data needed for web servers as well as certain information that the web browser transfers to the webserver in order to access websites (log data, see above). Therefore, consenting to this data processing for our website is not necessary. If you visit our website by clicking on one of our marketing campaigns (e.g., sponsored links in google searches, Facebook ads paid for by CDC, etc.), these links contain a URL suffix from etracker, which etracker recognizes once you access our website. On our website, interactive page elements and buttons also contain “tags” from etracker. These tags are simple signal transmitters. In the process of navigating our website you reach or activate one of these tags, and this is recognized by etracker. The use data collected in this manner is associated with a temporary user ID that etracker has assigned to you (e.g., 108bf9a85547edb1108bf9a85547edb1). The user ID is a pseudonym that is generated by “hashing” (generating a reproduceable hash values using a mathematical function) your IP address with the last two bytes truncated combined with your browser data and the current date. With the help of this user ID, your user behavior on our website can be registered – however, due to the time stamp component of the user ID, only for maximum period of one day. Subsequent visits to our website on another day will be associated with a different newly generated user ID, thus eliminating the possibility of linking this with your prior user behavior. From the anonymized use data, etracker compiles anonymized statistics that cannot be associated to particular persons and provides these data to CDC. These statistics can be used to determine which of our campaigns attracted the most users to our site and how many of those ended up booking our services, what specific content on our site was most viewed and received the most clicks, and from which IP-address area (geo-information with a maximum accuracy at the city level) from which the request originated. etracker receives and processes the log data as well as the previously mentioned use data generated. etracker’s data processing is conducted exclusively in Germany and all such data processing is governed by a contract for data processing in accordance with Article 28 GDPR. According to this data processing contract, etracker saves all personal data for a maximum of 13 months.

(3) The legal basis for this data processing is Article 6 No. 1 f) GDPR. Our legitimate interest is the improvement of our Internet presence and our online offerings.

(4) You are not obliged to provide log data. § 3 Number 3 shall apply (see above).

§ 6 – Shariff Social Plugins

On our websites, we have installed social plugins with so-called Shariff technology. These plugins are simply a graphical symbol that contains a link to the respective social network and in particular our company presence on that social network. When you click on one of these symbols, you will be redirected to the respective social network. Clicking on these symbols and accessing the respective social network will necessitate that the data needed for technical reasons to establish a connection to a website are transferred to the provider of the social network in question. Before clicking on these symbols, no transfer of data whatsoever to one of these networks occurs. You can find information about the data processed by the social networks that we use on one central location on our website https://www.cdc.de/index.php?id=955&L=2, without needing to access the individual social networks.

§ 7 – Contact forms

(1) On our website, we provide contact forms that can be used to initiate contact with us electronically. Required fields are first name, last name, email address, and, if this typically required for this type of service, the postal address. All data entered into the fields of our online contact form will be stored and used to answer your inquiry, and depending on the nature of your inquiry, these data may be stored for a longer period of time. Simple inquiries that do not trigger subsequent processes will be deleted after four years at the latest. The legal basis for this data processing is consent according to Article 6 No. 1 a) GDPR. If you communicate with us in the context of a contractual relationship or the initiation of such, the legal basis for this data processing is also granted by Article 6 No. 1 b) GDPR. You are not required to provide these data; however, should you elect to not provide these data, we cannot process your inquiry.

(2) When a contact request is sent using one of our contact forms, certain data will be transmitted and stored. In addition to the data that you enter into the online form, the user’s IP address, and the date and time of transfer will be transmitted and stored. These additional data are collected and processed as a part of the transmission process of the contact form in order to prevent misuse of this function on our websites and to maintain the security of our IT system. These additional data will be deleted after seven days at the latest. The legal basis for this data processing is a balancing of interests in accordance with Article 6 No. 1 f) GDPR. You are not required to provide these data; however, should you elect to not provide these data, we are unable to provide access for you to the contact form.

§ 8 – Newsletter and sending other promotional information, Notification of direct marketing according to Section 7 No. 3 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)

(1) If you subscribe to a newsletter or wish to receive other informational materials, you must provide your email address and can, at your option, provide your names should you wish to be addressed by name in such communications. After subscribing, we will send you the requested newsletter or the requested informational material or similar information to the email address you have provided at regular intervals. The legal basis for this data processing is the express consent you have granted to us in according with Article 6 No. 1 a) GDPR.

(2) If you purchase goods or services from us, we are permitted to process the electronic contact information you provided to us in the context of your purchase in order to inform you of similar products and services that we offer by email provided you have not actively objected to this use of your personal data. You may object to this use of your data at any time and free of charge (with the exception of possible transmission charges that you may incur due to the basic rates charges by your telecommunications and/or internet provider) by notifying us of your objection by clicking on the unsubscribe link in the email, contacting us at the address given in §1 of this Policy, or using a contact form on our website. Upon receiving notification of your objection to the use of your data for direct marketing, we will no longer use your electronic contact information for advertising purposes. The legal basis for this data processing is the balancing of interests provided for in Article 6 No. 1 f) GDPR. Our legitimate interest is conducting direct marketing for our offers.

§ 9 – Offers on our websites

On our website, we also offer various services that you can take advantage of should you be interested. To book these services, you must as a rule provide additional personal data that we use to provide the particular service to you. More exact information detailing the data processing associated with offers, in particular the purpose of the processing, legal basis, categories of recipients, retention period, and where applicable our legitimate interests, will be provided to you separately in a timely manner before you accept our offer and transmit data to us, or in some cases this information may be found in the description of the offer.

§ 10 – Use of our online portal

(1) Our online portals are learning management systems (LMS), which are able to use in connection with our training courses if applicable. Should you wish to use one of our online portals, you must register using you email address and an access code that you have been provided with as well as certain personal data. There is no requirement to use your real name on our online portals; It is possible to use a pseudonym on our online portal. In order to verify your email address, we use a so-called double opt-in procedure in the registration process, i.e. the registration is only completed when you click on a link in a confirmation email that was sent to you during the registration process. If you do not confirm your account within 24 hours, your registration will be automatically deleted from our databank. In addition, you can post other optional personal data on our portals. Where applicable, we also save personal data that you provide in the context of a self-evaluation, a needs analysis, a language test, or other use of the portals as a part of our courses or training programs as well as any test results you may have so that we can make these available to you on a learning management system to aid in studying and practicing.

(2) On our portal, we integrate textbooks and other materials from third party publishers, which are a only accessible through an online interface provided by these third parties or by using a licensed external LMS. If you click on these inks to such textbooks and other learning materials, certain personal data of yours (name, email addresses, and user ID) must be exchanged with these websites operated by third parties or their licensees in order to authenticate your access to these resources. At present, this is only the case for materials provided by Cornelsen Verlag GmbH (e.g., “Das Leben”), which are accessed through a website operated by BLINKLEARNING, S.L., to whom your personal data will be disclosed.

(3) The legal basis for this data processing is Article 6 No. 1 b) GDPR in connection with the portal end user agreement or the service contract for delivery of a training course that you have concluded. In cases where you have provided additional optional personal data, the legal basis is your consent according to Article 6 No. 1 a) GDPR. The portal end user agreement mandates that you provide the data for the necessary required fields during registration, and your contract with us to provide your course or training program mandates that you provide the necessary data when using the portals. Should you not provide these data, we cannot offer you our portals and our digital components of courses, training programs, etc. After two years of inactivity, access to your personal data stored on our portals will be initially be locked, and then after four years of inactivity, you data will be deleted.

§ 11 – Contact via email

Should you choose to use email to communicate with us, your email address and the content of the email will be stored, and these data will be used for the purpose of answering your inquiry. The legal basis for this data processing is your consent according to Article 6 No. 1 a) GDPR. If you communicate with us in the context of a contractual relationship or the initiation of such, the legal basis for this data processing is also granted by Article 6 No. 1 b) GDPR. Depending on the nature of the inquiry, data from email inquiries will be stored. A simple inquiry that is not associated with a subsequent contract will be deleted after four years at

§ 12 – Applications

If you submit an application to us for employment, a trainee position, voluntary work, or an internship, we will use all the personal data that you have actively provided us in the context of such an application as a part of the selection process and to determine that there is a basis to establish a contractual relationship. Unsuccessful applications and other personal data of the applicants related to these applications will be deleted or where applicable destroyed within six months at the latest unless you have given your explicit consent for your data to be retained for a longer period so that we will be able to contact you at a later point

§ 13 – Recipients of data

In some cases, we make use of external service providers for maintenance, security, and cloud services in order to process your data. We have selected these third-party providers with the utmost care. In accordance with Article 28 GDPR, they are contractually obligated to follow our instructions regarding the handling of your data, and they are subject to regular audits. We do not process your data in countries outside of the European Economic Area, and our third-party providers adhere to the same standard of only processing data inside the European Economic Area.

§ 14 – Deletion of data

Unless other specific retention periods are stipulated in this Data Protection Policy, we will delete your personal data as soon as these are no longer necessary for achieving the purpose for which they were collected or a compatible purpose.

§ 15 – Modifications

Should our data processing activities change or it necessary to comply with legal requirements, we reserve the right to modify this Data Protection Policy so that the information we provide for you will always be kept up to date. Thus, for of your next visit, please be aware that only the currently valid Data Protection Policy is applicable.