Data protection information

  1. Data protection
  2. Controller
  3. General information on data processing
  4. Provision of the website and creation of log files
  5. Data processing for registered users
  6. Minors
  7. Hosting and content delivery networks (CDN)
  8. Tracking
  9. Contact
  10. Support and feedback
  11. Newsletter data
  12. Use of cookies and analysis tools
    1. Cookies required for the operation
    2. Not mandatory cookies
  13. Social media
  14. Plugins, tools, hosting
  15. eCommerce and payment providers
  16. Encryption
  17. Data protection officer
  18. Your rights
    1. Right of access
    2. Right to rectification
    3. Right to restriction of processing
    4. Right to erasure
    5. Right to be notified
    6. Right to data portability
    7. Right to object
    8. Right to revoke the data protection declaration of consent
    9. Automated decision-making in individual cases, including profiling
    10. Right to lodge a complaint with a supervisory authority
  19. Amendments to this data protection information

1. Data protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and according to the legal data protection regulations as well as this data protection information.

This data protection information applies to the processing of personal data by us on our website www.spielerplus.de (“website”) and for our web application (hereinafter “web application”) as well as for our mobile apps (hereinafter “apps”) (together hereinafter “applications”). It explains the type, purpose, and scope of the data processing within the framework of the website, the web application, and the mobile apps.

We would like to point out that data transmissions on the Internet can have security gaps. Seamless protection of the data against access by third parties is not possible.

2. Controller

The “Controller” is the natural or legal person, public authority, agency, or other body that alone or with others determines the purposes and means of the processing of personal data.

The controller for the data processing to provide the services within the website www.spielerplus.de and within the applications is:

SPM Sportplatz-Media GmbH
Eiffestr. 68
20537 Hamburg
E-Mail: [email protected]
Website: https://www.spielerplus.de/
Tel.: +49 40 537 9863 - 30

The respective trainer(s) and admin(s) are responsible for the data processing within a team in the applications.

Regarding this data processing, we (SPM Sportplatz-Media GmbH) only act on behalf of and according to the instructions of the trainer (order processing). You can find the data protection information of the trainer account for the data processing within a team in the settings under “Trainer data protection”

The following data protection information therefore only applies to the processing of personal data for which we (SPM Sportplatz-Media GmbH) are responsible.

3. General information on data processing

a. Scope of the processing of personal data

We categorically collect and use the personal data of our users only to the extent required for the provision of our applications, our contents, and our services. The collection and use of our users’ personal data is regularly only carried out with the consent of the user. Exceptions are made in cases in which prior consent cannot be obtained for factual reasons and where the processing of the data is permitted by legal regulations.

b. Legal basis for the processing of personal data

Insofar as we obtain consent from the data subject for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

In the processing of personal data that is required for the performance of a contract in which the contractual party is the data subject, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing that is required to carry out pre-contractual measures.

Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

If vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is required to safeguard a legitimate interest of our company or a third party and the interests, basic rights, and basic freedoms of the data subject do not outweigh the former interest, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

c. Data deletion and storage period

The personal data of the data subject are deleted or blocked as soon as the purpose of the storage is no longer applicable. Additionally, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. Data is also restricted or erased if a storage period prescribed by the above-mentioned standards expires, unless there is a need to continue storing the data in order to fulfill or conclude a contract.

4. Provision of the website and creation of log files

Whenever our website (including the web application) is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected for a limited period of time:

The user’s IP address
The date and time of access
The user’s user agent
The path to the accessed page

The data are stored in the log files of our system. These data are only required for the analysis of any malfunctions and are deleted within 30 days at the latest. The legal basis for the temporary storage of the data and log files is Article 6 (1) (f) GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. The user’s IP address must be stored for the duration of the session for this purpose. The purpose of the storage in log files is to ensure the functionality of the website. We also use the data to optimize the website and ensure the security of our information technology systems. The data are not evaluated for marketing purposes in this context, and no conclusions are drawn about your person. These purposes also include our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR. The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. As a consequence, there is no possibility of objection on the part of the user.

5. Data processing for registered users

When you register and use our applications, the following personal data is collected from you:

  • First and last name
  • Address
  • Date of birth, if applicable
  • User name
  • E-Mail address
  • Order data (which products were ordered from which seller)
  • Invoice and contract data

We also process the following technical data:

  • IP addresses
  • Browser types and browser version
  • Operating system
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server access
  • Metadata
  • Device IDs
  • Login information for third-party services (e.g., Facebook ID)
  • Language settings
  • Installed app version

These data are processed for the purpose of implementing the user agreement between us and you (Art. 6 (1) sentence 1 lit. b GDPR). We only process the data until the purpose for which it was stored no longer applies or you request us to delete it. Usually, there is no longer any purpose for storing data when you log out of the application. However, if there are mandatory statutory retention periods, the relevant data are only deleted after the statutory periods have expired (e.g., tax-related retention period for invoice data).

6. Minors

Persons who are under the age of 16 must only transmit their personal data to us with the consent of their legal guardians pursuant to Art. 8 GDPR. We do not knowingly collect and process the personal data of minors.

7. Hosting and content delivery networks (CDN)

External hosting

The app or website is hosted by an external service provider (host). The personal data collected via the app or website are stored on the host’s servers. In particular, this may include IP addresses, contact requests, meta- and communication data, contract data, contact data, names, page accesses, and other data generated by an app or website.

The host is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer through a professional provider (Art. 6 (1) (f) GDPR).

Our host will process your data only to the extent necessary to fulfill its service obligations and will follow our instructions with regard to these data.

Conclusion of a contract on order processing

To ensure processing in accordance with data protection regulations, we have concluded a contract for order processing with our host.

We use the Cloudflare service. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”).

Cloudflare offers a globally distributed content delivery network with a DNS (Domain Name System). The transfer of information between your browser and our website is routed through the Cloudflare network. This enables Cloudflare to analyze the data traffic between your browser and our website and to act as a filter between our servers and potentially malicious data traffic from the Internet. Cloudflare may also use cookies in this process, but these are solely used for the purpose described herein.

The use of Cloudflare is based on our legitimate interest in ensuring the most error-free and secure provision of our offer possible (Art. 6 (1) (f) GDRP). This interest outweighs your interest in the non-processing by Cloudflare. More information on the topic of security and data protection at Cloudflare is available here: https://www.cloudflare.com/privacypolicy/

We have concluded a contract with Cloudflare for order processing. Cloudflare is also a certified participant in the EU-US Privacy Shield Framework. Cloudflare has committed to handling all personal data received from the member states of the European Union (EU) according to the Privacy Shield Framework.

8. Tracking

a. Tracktics

If you are obtaining the services of our partner TRACKTICS GmbH, Hanauer Landstraße 291A, 60314 Frankfurt am Main (“TRACKTICS”), TRACKTICS is responsible for the processing of personal data in connection with the services of TRACKTICS as defined by Art. 4 (7) GDPR. You can find the data protection declarations of TRACKTICS at: https://tracktics.com/datenschutzerklaerung/

We only process your personal data (account ID) for the purpose of presenting the TRACKTICS services within the applications that TRACKTICS transmits to us on the basis of a contractual agreement with you or on the basis of a consent given by you. The legal basis for processing these data is Art. 6 (1) (1) (b) GDPR.

b. Other health-data services

Before using the health-data services Apple Health, Google Fit, Huawei Health, I agree that SPM Sportplatz Media GmbH may process my health data stored with my provider for the purpose of presentation in the applications. This consent can be revoked at any time by managing the settings of the respective operating system. The legal basis for processing these data is Art. 6 (1) (a) GDPR.

9. Contact

You can contact us by email, phone, or fax. In this process, your information from the inquiry and the contact details you provide there will be stored by us exclusively for purposes of processing the inquiry and in case of further questions. The data will not be transmitted to third parties in this context.

The legal basis for the data processing is Art. 6 (1) (f) GDPR. Our interest in answering your inquiry outweighs your interest; since you are writing to us, an answer is also in your interest and you are aware that we have to process your data to answer your inquiry.

If the purpose of the email contact is to conclude a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR.

The data will be deleted as soon as they are no longer required for the purpose of their collection. This is the case when the respective conversation with the user has ended. The conversation has ended when it can be derived from the circumstances that the relevant matter has been resolved conclusively.

You can also contact us with the “Messenger” Facebook plugin. You can find more information about this function and the processing of personal data in this context under item 14 of this data protection information.

10. Support and feedback

We use the UseResponse support system within the applications to handle customer inquiries about our services. This is a service of UseResponse Inc., 39 E. Broadway Apt. B1, Long Beach, NY, 11561, USA (“UseResponse”).

Use Response offers a combination of feedback software, help desk, knowledge base platform, and live chat with messengers. The transfer of information between your browser and our website is technically routed through the UseResponse network.

The use of UseResponse is based on our legitimate interest in ensuring the most uncomplicated and secure provision of a demand and exchange function possible (Art. 6 (1) (f) GDRP). This interest outweighs your interest in the non-processing by UseResponse. More information on the topic of security and data protection at UseResponse is available here: https://www.useresponse.com/de/privacy-policy.

We have concluded a contract with UseResponse for order processing. UseResponse is also a certified participant in the EU-US Privacy Shield Framework. UseResponse has committed to handling all personal data received from the member states of the European Union (EU) according to the Privacy Shield Framework.

11. Newsletter data

If you would like to subscribe to the newsletter offered in our applications, we need your email address and information that permit us to confirm that you are the owner of this email address and agree to receive the newsletter. No other data are collected. We exclusively use these data to send the requested information and do not transmit it to third parties. The legal basis for the data processing is your consent (Article 6 (1) (a) GDPR).

You can withdraw your consent to store the data and email addresses and to use them to send the newsletter at any time, for example with the “Unsubscribe” link in the newsletter. The legality of the data processing operations that have already been performed remains unaffected by the revocation.

If you are a regular customer of ours, we can also send information on features, updates, and SpielerPlus content to your email address in the form of a newsletter. The legal basis for the data processing of your email address for this purpose is our legitimate interest in the sending of additional useful information on our offering, which overrides your interest in non-processing (Art. (6) (1) (f) GDPR). You can informally cancel the receipt of future newsletters at any time, such as via the link included in the newsletter.

The data that you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe.

12. Use of cookies and analysis tools

a. Cookies required for the operation

We use so-called session or flash cookies on our website www.spielerplus.de and in our applications. Cookies are text files that are stored in or by the Internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string of characters that enables the browser to be uniquely identified when the website is accessed again. Some functions of our website cannot be offered without the use of cookies. These make it necessary for the browser to be identified even after a webpage is changed. The user data collected with the technically necessary cookies are not used to detect the identity of the user or to create user profiles. The legal basis for the processing of personal data with technically necessary cookies is Art. 6 (1) (f) GDPR.

Cloudflare

We use the Cloudflare service. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”). Cloudflare offers a globally distributed content delivery network with a DNS (Domain Name System). The transfer of information between your browser and our website is routed through the Cloudflare network. This enables Cloudflare to analyze the data traffic between your browser and our website and to act as a filter between our servers and potentially malicious data traffic from the Internet. Cloudflare may also use cookies in this process, but these are solely used for the purpose described herein.

The use of Cloudflare is based on our legitimate interest in ensuring the most error-free and secure provision of our offer possible (Art. 6 (1) (f) GDRP). This interest outweighs your interest in the non-processing by Cloudflare. More information on the topic of security and data protection at Cloudflare is available here: https://www.cloudflare.com/privacypolicy/.

We have concluded a contract with Cloudflare for order processing. Cloudflare is also a certified participant in the EU-US Privacy Shield Framework. Cloudflare has committed to handling all personal data received from the member states of the European Union (EU) according to the Privacy Shield Framework.

b. Not mandatory cookies

We also use cookies on our website and in our applications for various other purposes. To this end, we have integrated the consent management tool “consentmanager” (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, [email protected]) to request consent for the data processing or the use of cookies or similar functions. With “consentmanager”, you have the option to give or refuse your consent for certain functionalities of our website and applications, e.g., for the purpose of integrating external elements, integrating streaming contents, statistical analysis, range measurement, and personalized advertising. You can use “consentmanager” to give or refuse your consent for all functions or to give your consent for individual purposes or individual functions. You can also change the selected settings later. With this change function, you can revoke your consent at any time.

The purpose of integrating “consentmanager” is to enable the users of our website and applications to decide on the above-mentioned matters and, in the context of the further use of our website and applications, to offer the option to change settings that have already been made. In the course of the use of “consentmanager”, personal data and information about the used end devices, like the IP address, are processed.

The legal basis for the processing is Art. 6 (1) (1) (c) in connection with Art. 6 (3) (1) (a) in connection with Art. 7 (1) GDPR and alternatively (f). With the data processing, we help our customers (the controller according to GDPR) to comply with their legal obligations (e.g., obligation to provide evidence). Our legitimate interests in the processing lie in the storage of user settings and preferences with respect to the use of cookies and other functionalities. “consentmanager” stores your data as long as your user settings are active. After two years from the date on which the user settings were made, you will be asked for your consent again. The entered user settings are then stored again for this period.

You may object to the processing. Your right to object exists in case of reasons arising from your particular situation. For purposes of objecting, please send an email to [email protected]

You can also set your browser to inform you whenever cookies are placed, to only permit cookies in individual cases, exclude the acceptance of cookies in certain cases or in general, or activate the automatic deletion of the cookies when the browser is closed. Deactivating cookies or refusing your consent may limit the functionality of this website.

Cookies from third-party providers

Performance Advertising (https://www.performance-advertising.de)

The provider of Performance Advertising is Performance Advertising GmbH, Gorch-Fock-Wall 1a, 20354 Hamburg, Germany. Performance Advertising uses technologies to control and optimize the display of advertising materials for the user

Link to data protection information: https://www.performance-advertising.de/datenschutz/
Link to opt out: https://www.performance-advertising.de/opt-out/

Storage period: Data stored by Performance Advertising that are linked to cookies are deleted after 360 days.

Plista (https://www.plista.com/de)

The provider of Plista is plista GmbH, Torstraße 33-35, D-10119 Berlin, Germany. Plista uses technologies to control and optimize the display of advertising materials for the user.

Link to data protection information: https://www.plista.com/de/about/privacy/
Link to opt out: https://www.plista.com/about/opt-out/

Storage period: Data stored by Plista that are linked to cookies are deleted after 365 days.

Twiago (https://www.twiago.com/)

The provider of Twiago is twiago GmbH, Gustav-Heinemann-Ufer 72b, 50968 Cologne, Germany. Twiago uses technologies to control and optimize the display of advertising materials for the user.

Link to data protection information: https://www.twiago.com/datenschutz/
Link to opt out: http://control.twiago.com/privacy.php

Storage period: Data stored by Twiago that are linked to cookies are deleted after 30 days.

DoubleClick for Publishers (https://www.google.de/doubleclick/publishers/)

The provider is DoubleClick by Google, a division of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. DoubleClick provides online marketing solutions, particularly in the areas of ad serving, delivery of advertising materials, and as a marketplace for digital advertising.

Link to data protection information: https://www.google.com/policies/privacy/
Link to opt out: https://adssettings.google.com/authenticated?hl=en

Storage period: User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

DoubleClick Ad Exchange (https://www.doubleclickbygoogle.com/de/solutions/digital-marketing/ad- exchange/)

The provider is DoubleClick by Google, a division of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google provides online marketing solutions, particularly in the areas of ad serving, delivery of advertising materials, and as a marketplace for digital advertising.

Link to data protection information: https://www.google.com/policies/privacy/
Link to opt out: https://adssettings.google.com/authenticated?hl=en

Storage period: User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

DoubleClick AdSense (https://www.google.de/adsense)

The provider is DoubleClick by Google, a division of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google provides online marketing solutions, particularly in the areas of ad serving, delivery of advertising materials, and as a marketplace for digital advertising.

Link to data protection information: https://www.google.com/policies/privacy/
Link to opt out: https://support.google.com/ads/answer/2662922?hl=de

Storage period: User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

DoubleClick Bid Manager (https://www.doubleclickbygoogle.com/solutions/digital-marketing/bid-manager/)

The provider is DoubleClick by Google, a division of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google provides online marketing solutions, particularly in the areas of ad serving, delivery of advertising materials, and as a marketplace for digital advertising.

Link to data protection information: https://www.google.com/policies/privacy/
Link to opt out: https://adssettings.google.com/authenticated?hl=en

Storage period: User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

(3) Analysis tools

When you access our applications, your behavior can be statistically evaluated with the help of certain analysis tools and analyzed for advertising and market research purposes or to improve our offers. When using these kinds of tools, we make sure that we comply with the legal data protection regulations. When external service providers (commissioned data processors) are used, we conclude the appropriate contracts with service providers to ensure that the data processing corresponds to the German and European data protection standards.

We use the following tools to analyze user behavior:

(a) Google Analytics

The applications use functions of the Google Analytics web analysis service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called cookies. These are text files that are stored on your computer that enable an analysis of your use of the application. The information created by the cookie about your use of this application is generally transmitted to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 (1) (a) GDPR, since corresponding consent was requested (e.g., consent to the storage of cookies). The consent can be revoked at any time.

IP anonymization

We have activated the IP anonymization function. This means that Google truncates your IP address within member states of the European Union or in other countries that are parties to the agreement in the European Economic Area before it is transferred into the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf to evaluate your use of the application, compile reports about the application activities, and provide other services associated with the application and Internet usage for the operator. The IP address transmitted by your browser as part of Google Analytics is not integrated with any other data from Google.

Browser Plugin

You can prevent the storage of cookies with a corresponding browser setting. However, please be aware that you might not be able to use all of the application’s functions to their full extent in such a case. Furthermore, you can prevent the recording of the data (including your IP address) generated by the cookie and referring to your application use by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available at the following link:

https://tools.google.com/dlpage/gaoptout?hl=de

Demographic characteristics by Google Analytics

The applications use the “demographic characteristics” function of Google Analytics. This makes it possible to generate reports that contain information about the age, gender, and interests of the site visitors. These data come from interest-based advertising by Google as well as from third-party visitor data. These data cannot be attributed to any particular person. You can disable this function at any time via the ad settings in your Google account, or generally prohibit Google Analytics from collecting your information as described in the “Opting out of data collection” section.

Storage period

User and event-level data stored by Google that are linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) are anonymized or deleted after 14 months. You can view details about this at the following link: https://support.google.com/analytics/answer/7667196?hl=de

(b) INFOnline GmbH

The applications use the measuring method (“SZMnG”) of INFOnline GmbH (https://www.INFOnline.de) to determine statistical parameters about the use of our offers. The goal of measuring the use – on the basis of a uniform standard method – is to statistically determine the number of visits to our website as well as the number of site visitors and their surfing behavior to obtain values that are comparable throughout the market.

For all digital offers that are members of Informationsgemeinschaft zur Feststellung der Verbreitung von Werbeträgern e.V. (IVW – http://www.ivw.eu) or participate in the studies of Arbeitsgemeinschaft Online-Forschung e.V. (AGOF – http://www.agof.de), the usage statistics are regularly processed into range information by AGOF and Arbeitsgemeinschaft Media-Analyse e.V. (agma – http://www.agma-mmc.de) and published with the “unique user” performance value. They are also processed and published by IVW with the performance values “page impression” and “visits”. These ranges and statistics can be viewed on the respective pages.

Legal basis for the processing

The measurement with the SZMnG measuring method by INFOnline GmbH is based on Art. 6 (1) (a) GDPR, since corresponding consent was requested (e.g., consent to the storage of cookies). The consent can be revoked at any time.

The purpose of processing personal data is the development of statistics and the creation of user categories. The purpose of the statistics is to trace and verify the use of our offer. The user categories form the basis for a targeting of the advertising material or advertising measures to correspond with the interests of the user. Measuring the usage in a way that ensures comparability to other market participants is essential for marketing this website. Our legitimate interest results from the economic usability of the insights resulting from the statistics and user categories as well as the market value of our website – also in direct comparison with websites of third parties, which can be determined on the basis of the statistics.

Additionally, we have a legitimate interest in making the pseudonymous data of INFOnline, AGOF, and IVW available for the purposes of market research (AGOF, agma) and statistical purposes (INFOnline, IVW). Furthermore, we have a legitimate interest in making the pseudonymous data of INFOnline available for the purposes of developing and provisioning interest-based advertising materials.

Type of data

INFOnline GmbH collects the following data, which are related to persons according to the GDPR:

IP address: Every device on the Internet requires a unique address, the so-called IP address, to transmit data. The at least short-term storage of the IP address is technically necessary due to the functionality of the Internet. The IP addresses are truncated by 1 byte before any processing and are only processed further in anonymized form. No storage or additional processing of the untruncated IP addresses takes place.

A randomly generated client identifier: To recognize computer systems, the range processing alternatively uses either a cookie with the identification “ioam.de”, a “local storage object”, or a signature that is created from various automatically transmitted items of information from your browser. This identifier is unique to a browser as long as the cookie or local storage object is not deleted. For that reason, a measurement of the data and subsequent assignment to the respective client identifier are also possible when you access other pages that also use the measurement method (“SZMnG”) of INFOnline GmbH.

The validity of the cookie is limited to a maximum of one year.

Data usage

The measurement method of INFOnline GmbH used in these applications determines usage data. This is done in order to compile the performance values of page impressions, visits, and clients and use this to form additional key indicators (e.g., qualified clients). Furthermore, the measured data is used as follows:

A so-called geolocalization (i.e., the allocation of a page access to the place from where it was accessed) takes place exclusively on the basis of the anonymized IP address and only up to the geographical level of the federal states/regions. Under no circumstances can the geographical information obtained in this manner be used to draw conclusions as to a user’s specific whereabouts.

The usage data of a technical client (e.g., a browser on a device) are merged across a website and stored in a database. This information is used to technically estimate the socioinformation of age and gender and is transferred to the AGOF service providers for further range processing. In the scope of the AGOF study, social characteristics are technically estimated on the basis of a random sample, which can be assigned to the following categories: Age, gender, nationality, professional activity, marital status, general household data, household income, place of residence, Internet use, online interests, place of use, user type.

Data storage period

INFOnline GmbH does not store the complete IP address. The truncated IP address is stored for a maximum of 60 days. The usage data in connection with the unique identifier are stored for a maximum of 6 months.

Transmission of data

Neither the IP address nor the truncated IP address will be passed on. For the creation of the AGOF study, data with client identifiers will be forwarded to the following AGOF service providers:

  • Kantar Deutschland GmbH (https://www.tns-infratest.com/)
  • Ankordata GmbH & Co. KG (http://www.ankordata.de/homepage/)
  • Interrogare GmbH (https://www.interrogare.de/)

13. Social media

Facebook plugins (Facebook Messenger)

Plugins from the Facebook social network are integrated in the applications. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the collected data are also transferred to the USA and other third countries.

You can find an overview of the Facebook plugins here:
https://developers.facebook.com/docs/plugins/?locale=de_DE

When you use the applications, the plugin establishes a direct connection between your browser and the Facebook server. Facebook thus receives the information that you have used this application with your IP address. When you use a Facebook plugin through the application while you are logged in to your Facebook account, you can be assigned to your Facebook profile. Facebook can then assign the visit of the application to your user account. We would like to point out that, as the provider of the application, we have no knowledge of the content of the transmitted data or their use by Facebook. You can find more information on this under Facebook’s privacy policy: https://de-de.facebook.com/privacy/explanation

If you do not want Facebook to be able to assign the application access to your Facebook user account, please log out of your Facebook user account.

The use of Facebook plugins is based on Art. 6 (1) (a) GDPR. Consent can be revoked at any time.

14. Plugins, tools, hosting

a. YouTube

The applications integrate videos on YouTube. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you start a YouTube video via the applications, a connection to the YouTube servers is established. In this process, the YouTube server is informed which of our pages you have visited. If you are logged in to your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Additionally, YouTube can store various cookies on your device after starting a video. These cookies can help YouTube obtain information about visitors to the application. Among other things, this information is used to collect video statistics, improve the user experience, and prevent fraud. The cookies remain on your device until you delete them.

It is possible that launching a YouTube video triggers further data processing operations over which we have no influence. The use of YouTube is based on your consent to YouTube (e.g., consent to the storage of cookies), Art. 6 (1) (a) GDPR. You can find additional information about data protection at YouTube in their privacy policy at: https://policies.google.com/privacy?hl=de

b. Google Maps

The applications use the map service Google Maps via an API. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. To use the Google Maps functions, it is necessary to store your IP address. This information is generally transferred to a Google server in the USA and stored there. The provider of this website has no influence on this data transfer.

Google Maps is used in the interest of an attractive presentation of our online offers and to make it easy to find the locations we indicate in the application. This represents a legitimate interest in the sense of Art. 6 (1) (f) GDPR. Insofar as corresponding consent was requested, the use is based on Art. 6 (1) (a) GDPR. Consent can be revoked at any time.

You can find more information on how user data are handled in Google’s privacy policy: https://policies.google.com/privacy?hl=de

c. Google Web Fonts

For the uniform display of fonts, these applications use so-called web fonts, which are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). When a page is accessed, the user’s browser loads the required web fonts into the browser cache in order to display the texts and fonts correctly.

The browser used by the user must connect to Google’s servers for this purpose. This makes Google aware that this website has been accessed via the user’s IP address. Google Web Fonts is used in the interest of a uniform and attractive presentation of our online offers.

The legal basis for this is Art. 6 (1) (f) GDPR. If your browser does not support Web Fonts, a standard font from your computer will be used.

Google LLC, with its headquarters in the USA, is certified for the “Privacy Shield”, a US-European data protection agreement that guarantees compliance with the data protection standard that applies in the EU.

You can find more information on Google Web Fonts at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/

d. Google Tag Manager

We use the Google Tag Manager service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

This service makes it possible to manage website tags through one interface. The Google Tag Manager only implements tags. This means: No cookies are used and no personal data are collected. The Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation was carried out in respect to a domain or cookie, it will remain effective for all tracking tags insofar as these are implemented with the Google Tag Manager.

e. Amazon Web Services

For the processing of data, we use Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. We have entered into an order processing contract with Amazon Web Services EMEA SARL.

If your personal data is processed by Amazon Web Services EMEA SARL outside the EEA, Amazon Web Services EMEA SARL has agreed to comply with the provisions of the relevant data protection laws. This includes, for example, the transfer of data in accordance with the framework agreements for the EU-US and Swiss-US data protection shield (“Privacy Shield” in respect to transfers to the USA) or in accordance with data transfer agreements that include the standard contractual clauses approved by the EU Commission.

15. eCommerce and payment providers

Data transmission when concluding a contract for services and digital contents

We transfer personal data to third parties only if this is necessary for the execution of the contract; for example, to the credit institution responsible for processing payments.

The basis for the data processing is Article 6 (1) (b) GDPR, which permits data processing in order to fulfill a contract or pre-contractual measures.

There is no further transmission of the data unless you expressly consented to the transmission. There is no transfer of data to third parties without express consent.

PayPal (Braintree)

We offer payment via the “Braintree” payment gateway from PayPal, among other things. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).

If you select payment via PayPal, the payment information you enter will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (processing for the performance of a contract). You have the option of revoking your consent to the data processing at any time. A revocation does not affect the validity of data processing operations performed in the past.

In-app purchases

If you make an in-app purchase within the applications, the transaction and payment will be carried out solely between you and the Apple App Store on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://www.apple.com/legal/internet-services/itunes/de/terms.html and https://www.apple.com/legal/privacy/de-ww/.

If you make an in-app purchase on an Android device in the Google Play Store, the transaction and payment will be carried out solely between you and the Google Play Store on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://play.google.com/intl/de_de/about/play-terms.html und https://www.google.de/intl/de/policies/privacy/.

The legal basis for the above-mentioned processing is Art. 6 (1) (1b) GDPR (processing is required to fulfill a contract with the affected person).

If you make an in-app purchase on a Huawei device in the Huawei App Gallery, the transaction and payment will be carried out solely between you and the Huawei App Gallery on the basis of the terms and conditions and privacy policy applicable there, which you can access here: https://consumer.huawei.com/minisite/cloudservice/hiapp/terms.htm?country=DE&branchid=2&language=de_DE und https://consumer.huawei.com/minisite/cloudservice/hiapp/privacy-statement.htm?country=US&branchid=2&language=de_de

16. Encryption

SSL or TLS encryption

For security reasons and to protect the transmission of confidential contents, such as orders or inquiries that you send to us as the operator, we use SSL or TLS encryption. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the lock symbol in your browser line.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Encrypted payment transactions on this website

If there is an obligation to provide us with your payment information (e.g., account number for direct debit authorization) after the conclusion of a cost-based contract, this information is required for payment processing.

The payment transactions via conventional payment methods (PayPal) are carried out exclusively through an encrypted SSL or TLS connection. You can recognize an encrypted connection when the browser’s address bar changes from “http://” to “https://” and by the lock symbol in your browser line.

When the communication is encrypted, the payment data that you transmit to us cannot be read by third parties.

17. Data protection officer

We have assigned a data protection officer for our company.

RUGE FEHSENFELD Consulting GmbH
DSB Sascha Fehsenfeld
Essener Straße 105
22419 Hamburg
GermanyDeutschland
Phone: +49 40 528 403-0
Fax no.: +49 40 528 403-10
E-Mail: [email protected]

18. Your rights

If your personal data are being processed, you are a data subject as defined by the GDPR, and you have the following rights in relation to the controller:

a. Right of access

You can request confirmation from the controller as to whether we are processing your personal data.

If such processing has taken place, you can request information from the controller on the following topics:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipients to whom your personal data have been or will be disclosed;
  4. the planned duration of the storage of the personal data concerning you, or, if no specific information on this is available, criteria for determining the storage period;
  5. the existence of a right to the rectification or erasure of the personal data or restriction of processing of personal data concerning you, or a right to object to this processing;
  6. the existence of a right to appeal to a supervisory authority;
  7. any available information about the source of the data if the personal data are not being collected from the data subject;
  8. the existence of an automated decision-making process including profiling as defined by Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as on the scope and intended effects of such processing on the data subject.
  • You have the right to request information as to whether your personal data are being transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
  • b. Right to rectification

    You have the right to request that the controller correct and/or complete the data if the processed personal data concerning you is incorrect or incomplete. The controller must immediately make the correction.

    c. Right to restriction of processing

    Under the following conditions, you may request the restriction of the processing of your personal data:

    1. if you contest the accuracy of the personal data concerning you for a period that enables the controller to verify the accuracy of the personal data;
    2. if the processing is unlawful and you object to the erasure of the personal data and instead request a restriction of their use;
    3. if the controller no longer needs the personal data for the processing purposes, but you need them to assert, pursue, or defend legal claims; or
    4. if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet established whether the legitimate reasons of the controller outweigh your reasons.

    If the processing of your personal data has been restricted, these data – with the exception of storage – may only be processed with your consent or for the purpose of asserting, pursuing, or defending legal claims or for protecting the rights of another natural or legal person or for reasons related to an important public interest of the Union or a member state.

    If the restriction of processing was restricted in accordance with the above conditions, the controller will inform you before the restriction is lifted.

    d. Right to erasure

    (1) Obligation to delete

    You may request that the controller erases your personal data without delay. The controller is then obligated to immediately delete the data if one of the following reasons applies:

    1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
    2. You revoke your consent on which the processing pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR was based and there is no other legal basis for the processing.
    3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
    4. The personal data concerning you have been processed unlawfully.
    5. The erasure of the personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the member states to which the controller is subject.
    6. The personal data concerning you have been collected in relation to services offered by an information society pursuant to Art. 8 (1) GDPR.

    (2) Information to third parties

    If the controller has made your personal data public and is obligated to their erasure pursuant to Art. 17 (1) GDPR, the controller, in consideration of the available technology and implementation costs, will take appropriate measures, including technical ones, to inform the persons responsible for the data processing that you, as a data subject, have requested the erasure of all links to these personal data or copies or replications thereof.

    (3) Exceptions

    The right to erasure does not exist if the processing is required

    1. to exercise the right to freedom of expression and information;
    2. to comply with a legal obligation that requires the processing according to a law of the Union or member states to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
    3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
    4. for archival purposes, scientific or historic research purposes in the public interest, or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously interfere with the attainment of the objectives of such processing; or
    5. to assert, exercise, or defend legal claims.

    e. Right to be notified

    If you have asserted the right to the rectification, erasure, or restriction of processing towards the controller, the controller is obligated to notify all recipients to whom your personal data have been disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.

    You are entitled to receive information from the controller about these recipients.

    f. Right to data portability

    You have the right to receive the personal data concerning you that you provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to have this data transmitted to another responsible person without interference from the controller to whom the personal data has been communicated, provided that

    1. the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR; and
    2. the processing is carried out by automated means.

    In exercising this right, you also have the right to request that your personal data be transferred directly from one controller to another, insofar as this is technically feasible. This must not affect the freedoms and rights of other people.

    The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    g. Right to object

    You have the right to object, for reasons arising from your particular situation, at any time to the processing of your personal data that is carried out pursuant to Art. (6) (1) (e) or (f) GDRP; this also applies to profiling based on these provisions.

    The controller will no longer process your personal data, unless the controller can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights, and freedoms, or unless the processing serves to assert, exercise, or defend legal claims.

    If personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling to the extent that it is linked to such direct marketing.

    If you object to the processing for the purposes of direct marketing, your personal data will no longer be processed for those purposes.

    You have the option of exercising your right to object in relation to the use of information society services – notwithstanding Directive 2002/58/EC – by using automated procedures that involve technical specifications.

    h. Right to revoke the data protection declaration of consent

    You have the right to revoke your data protection declaration of consent at any time. Revoking the consent does not affect the legality of the processing that has occurred on the basis of the consent up until it was revoked.

    i. Automated decision-making in individual cases, including profiling

    You have the right not to be subject to a decision based solely on automated processing – including profiling – that has a legal effect on you or significantly affects you in a similar manner.

    This does not apply if the decision

    1. is required for the conclusion or performance of a contract between you and the controller;
    2. is permissible according to statutory regulations of the Union or member states to which the controller is subject and these regulations provide for appropriate measures to safeguard your rights, freedoms, and your legitimate interests; or
    3. is made with your express consent.

    However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and appropriate measures have been taken to safeguard rights and freedoms and your legitimate interests.

    With respect to the cases referred to in (1) and (3), the controller will take appropriate measures to safeguard the rights and freedoms and your legitimate interests, which include at least the right to obtain the intervention of a person on behalf of the controller, to express his or her own point of view and to challenge the decision.

    j. Right to lodge a complaint with a supervisory authority

    Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state in which you reside, your place of work, or the place of the alleged infringement, if you believe that the processing of the personal data concerning you is in breach of the GDPR.

    The supervisory authority to which the complaint has been lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

    19. Amendments to this data protection information

    We reserve the right to change these data protection regulations at any time in compliance with the legal requirements.

    Current as of: July 2020