Privacy Policy

Last update: May 2018

Privacy Notice according to GDPR

I. Name and address of the responsible entity

In terms of the General Data Protection Regulation and other national data protection acts of the member states as well as other data protection laws the responsible entity is:

Biotop Community Lab e. V.
Werderstr. 37
69120 Heidelberg
GERMANY

E-mail: Biotop Community Lab e.V. <biotophd@gmail.com>
Web page: www.biotop-heidelberg.de

II. General remarks on the data processed

1. Scope of the processing of personal data

Generally we are only processing personal data of our users if it is necessary for providing a fully functional web page, content and services. The regular processing of personal data of our users is only done after approval by the user. This is not the case however, when there are effective reasons why the consent can’t be given beforehand and when it is allowed to process the data due to legal regulations.

2. Legal basis for the processing of personal data

When we ask the affected person for approval for the processing of personal data, Art. 6 para. 1 lit. a General Data Protection Regulation (GDPR) (EU) serves as the legal basis.

When it is necessary to process personal data to fulfill a contract where the contracting party is the affected person, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This is also true for data processing needed to carry out pre-contractual measures.

As long as the processing of personal data serves a legal obligation we are subject to, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In case vital interests of the affected person or any other natural person require the use of the personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If processing the data is needed for preserving a legitimate interest of us or a third party and outweigh the interests, fundamental rights and freedoms of the affected person, Art. 6 para. 1 lit. f GDPR serves as the legal basis.

3. Data deletion and storage time

The personal data of an affected person is deleted or locked as soon as the purpose of storing them has ceased. Data can be stored beyond this if it is envisaged by the European or national legislator in EU regulations, laws or other regulations the responsible entity is subject to. Locking or deletion is also done if a period allotted by said regulations is expiring unless there is a necessity to keep the data for the conclusion or realization of a contract.

III. Providing the web page and creation of log files

1. Description and extent of the collected data

For each view of our web page the system is automatically collecting anonymous data and information of the inquiring computer system.

The following data is recorded in this process:

  1. Information on the web browser type and version
  2. The operating system of the user
  3. The IP address of the user
  4. Date and time of the request
  5. The URL of the web page the user requested

This data in not related to other personal data of the user.

2. Legal basis for the data processing

Legal basis for the temporary storage of this data and log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of the data processing

Temporary storage of the IP address by the system is needed to deliver the web page to the computer of the user. For this reason the IP address needs to stored for the duration of the session.

This reason legitimates our interest in the data processing according to Art. 6 para. 1 lit. f GDPR.

4. Duration of the data storage

The data is deletes as soon as the purpose of recording them has ceased to exist. In case of the data recorded to provide the web page this is the case when the respective session is closed.

5. Means of objection and disposal

Recording the data for providing of the web page and the data storage in log files is mandatory for the operation of a web server. Consequently the user has no means of objection.

IV. Use of cookies

1. Description and extent of the collected data

Our website is using cookies. Cookies are text files that are stored in the browser, more specifically by the web browser on the computer system of the user. When a user requests a web page, a cookie can be stored in the operating system of the user. This cookie contains a characteristic sequence of characters that allows for a unique identification of the browser in later request of the same website.

We are using cookies to increase the usability of our web page. Some elements of our website require that the browser can be re-identified after switching to another sub-page. For this purpose, login information is collected and transferred in cookies.

2. Legal basis for the data processing

Legal basis for the processing of personal data by using cookies is Art. 6 para. 1 lit. f GDPR.

3. Purpose of the data processing

The purpose of using technically required cookies is to simplify the use of web pages to the user. Some functions of our website can’t be provided without the use of cookies. For those functions it is necessary that the browser is re-identified after switching to another sub-page.

We require cookies for the following features:

  1. Manage page content
  2. Remembering if the cookie policy was accepted

The user data exalted from the use of technically required cookies is not used to create user profiles.

These reasons legitimate our interest in the processing of personal data according to Art. 6 para. 1 lit. f GDPR.

4. Duration of the data storage, means of objection and disposal

Cookies are stored on the computer of the user and are transferred to the web page by him. Because of this you as the user have full control over the use of the cookies. By changing a setting in the preferences of your web browser you can deactivate or restrict the transfer of cookies. Cookies that have already been stored can be deletes any time. This can also be automatized. If cookies are deactivated for our website potentially not all features of this website can be used to full extent.

V. Contact form

1. Description and extent of the collected data

On our website there are contact forms which can be used to send us electronic messages. If a user is using this service, the data entered into the form will be transmitted to us and stored. This data is:

(1) Name (this is not mandatory)
(2) E-Mail address
(3) Subject (this is not mandatory)
(4) Message

The users consent for the processing of this data is obtained by sending the form. There is a reference to this privacy policy located at the form.

In this context no data will be transferred to third parties. The data is only used to facilitate the conversation.

2. Legal basis for the data processing

Legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR when the user has approved it.

Legal basis for the data which is processed as part of the E-Mail transfer is Art. 6 para. 1 lit. f GDPR. If the E-Mail is targeted at the closure of a contract, additional legal basis for processing the data is Art. 6 para. 1 lit. b GDPR.

3. Purpose of the data processing

The sole purpose of the processing of personal data from the input form is to handle the request of the user. In case of contacting us via E-Mail this is also the legitimate interest in processing the data.

4. Duration of the data storage

The data is erased as soon as they are not required anymore for the purpose they were originally recorded for. For the personal data from the input form and the ones that were sent via E-Mail, this is the case as soon as the respective conversation with the user is concluded. The conversation is over, when the circumstances suggest that the subject in question was fully resolved.

5. Means of objection and disposal

The user always has the right to withdraw the approval of processing the personal data. If the user contacted us using E-Mail, he or she can always object against the storage of his or her personal data. In this case the conversation can not be continued.

The objection can be raised using the contact form, an informal E-Mail or a letter to the postal address given in the imprint.

As a consequence all personal data that was recorded in the context of this user request will be erased.

VI. Newsletter

1. Description and extent of the collected data

On our website we offer subscription to a newsletter free of charge. In the process of registering for it, the data is transmitted to us using an input form. You can enter a name into that form if you want to and you need to enter an E-Mail address in order to receive the newsletter.
Your consent for the processing of the data is obtained by your registration and there is a reference to this privacy policy.

In the context of sending the newsletter, the personal data is not transferred to a third-party. The data is only used to deliver the newsletter.

2. Legal basis for the data processing

Legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR when the user has approved it.

3. Purpose of the data processing

Storing the E-Mail address of the user is technically required to deliver the newsletter. Recording the name helps in managing the list of subscribers and to prevent abuse of the services offered.

4. Duration of the data storage

The data is erased as soon as they are not required anymore for the purpose they were originally recorded for. For the personal data from the input form this is the case as soon as the respective subscription of the newsletter is canceled.

5. Means of objection and disposal

The user always has the right to unsubscribe from the newsletter by answering to one of them to invoke the subscription.

As a consequence also the consent to store the personal data recorded in this context will be revoked and the data will be erased.

VII. Online registration to events

1. Description and extent of the collected data

Biotop Community Lab e.V. is organizing events for members and non-members of the club. For some of these events it is required to register in advance using the online forms provided on this web page. In these forms personal data can be entered that is needed for organizing the event due to several reasons. In addition, date and time of the registration is recorded to prevent abuse of the online form.

It might be that personal data entered in the form is shared with collaboration partners, insurances or sponsors of the event. However your data will only be transferred if it is required for organizing the event and only if the recipient follows strict privacy policies and keeps your data confidential.

The consent for storage and processing of the respective data for the purpose of organizing the event is given by the user by submitting the online form.

2. Legal basis for the data processing

For data in input fields of the form that are marked as required, the legal basis for the data processing is:

  • To fulfill a legal obligation: Art. 6 para. 1 lit. c GDPR
  • If there is a legitimate interest of the club: Art. 6 para. 1 lit. f GDPR
  • For recording date and time of the registration: Art. 6 para. 1 lit. f GDPR

For the data entered into input fields, that are not marked as required, Art. 6 para. 1 lit. a GDPR applies.

3. Purpose of the data processing

The purpose for the data processing can be legal obligations Biotop Community Lab is subject to, legitimate interests of the club, or technical requirements. Examples are actuarial reasons, reporting names to a booked location, or reports/proofs requested by a sponsor.

4. Duration of the data storage, means of objection and disposal

The duration of the storage of personal data from online registrations is given by the applicable legal obligation to store the data. After this time is exceeded, the data is routinely deleted, if they aren’t required to fulfill a contract or to initiate a contract and/or there is no legitimate interest from our side to store the data for a longer period. Is the execution of objection rights requiring deletion, the data is immediately deleted.

In case objection against storage, processing or transfer of data is raised by an informal E-mail to the organizers of the respective event or the board of the club, it can lead to exclusion from the respective event due to organizational reasons.

VIII. Integration of external service providers

1. reCAPTCHA

To protect user enquiries via our contact form and subscriptions to our newsletter, we use the reCAPTCHA service of Google Inc. The legal basis is Art. 6 para. 1 lit. f GDPR. The prompts of reCAPTCHA are used to discern whether an entry is made by a human being or, improperly, automated machine processing is used. The prompts include the transfer of IP addresses and any further data required by Google for the provision of reCAPTCHA. To this purpose, your entry will be transferred to and further used by Google. By using reCAPTCHA you agree that the recognition you have made will be incorporated in the digitalization of old works. DMAG will not store any further data about your use of this service.

We have activated IP anonymization on our website. Therefore, Google will shorten your IP address within the member states of the European Union and contracting states of the agreement of the European Economic Area. Only in exceptional cases will your full IP address will be transferred to a server of Google in the U.S.A. and shortened there. On behalf of the operator of this website Google will use such information to analyze the use of this service. The IP address transmitted by your browser will not be merged with any other data of Google. The data is subject to separate data protection regulations of Google. For further information on the privacy policy of Google please refer to: https://www.google.com/intl/en/policies/privacy/.

IX. Rights of the affected person

In case data of your person is processed, you are a data subject in the sense of the GDPR and you have the following rights over the responsible entity:

1. Right of access

You can obtain confirmation from the responsible person whether or not personal data concerning you is processed by us.

If this is the case, you can demand the following information from the responsible entity:

  1. the purposes for which the data is processed;
  2. the categories of personal data that is processed;
  3. the recipients respectively the categories of recipients the data was or will be disclosed to;
  4. the planned storage duration of the personal data concerning you or, if no precise statements can be made, criteria for the establishment of the storage duration;
  5. the existence of a right to correction or deletion of the personal data concerning you, the right of limiting the processing by the responsible entity or an objection against this processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information about the origin of the data if the personal data was not ascertained from the affected person;
  8. the existence of an automated decision in individual cases including profiling according to Art. 22 para. 1 and 4 GDPR and – at least in these cases – expressive information about the logic involved and the consequences of the processing for the affected person.

You have the right to demand information if the personal data concerning you is transferred to a third country or international organization. In this context you can demand to be informed about suitable guaranties according to Art. 46 GDPR related to the transfer.

2. Right of correction

You have the right of correction and/or completion over the responsible entity if the processed personal data concerning you is incorrect or incomplete. The responsible entity has to perform the correction immediately.

3. Right of limiting the processing

Under the following circumstances you can demand limiting the processing of personal data concerning you:

  1. if you deny the correctness of the personal data concerning you for a duration, that allows the responsible entity to check the personal data for correctness;
  2. if the processing is illegitimate and you deny the deletion of the personal data and demand to limit the use of the personal data instead;
  3. the responsible entity doesn’t require the data for processing anymore, but you need them for the enforcement, exercise or defense of legal rights, or
  4. if you objected against the processing according to Art. 21 para. 1 GDPR and it has not yet been established if the legitimate interests of the responsible entity outweigh your interests.

When the processing of personal data concerning you was limited, the data can only be processed – with the exception of unaltered storage – with your consent or for the purpose of enforcement, exercise or defense of legal rights or for the protection of the rights of another natural person or corporate entity or because of important public interest of the European Union or one of its member states.

If the limitation of processing is constrained under the premises mentioned above, you are informed by the responsible entity before the limitation is lifted.

4. Right of deletion

a) Obligation to deletion

You can demand from the responsible entity that the personal data concerning you is deleted immediately and the responsible entity is obligated immediately do so, if one of the following reasons applies:

  1. The personal data concerning you is no longer required for the purposes they were recorded for.
  2. You are revoking your consent on which the processing was based on in accordance to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal ground for the processing.
  3. You did raise objection against the processing according to Art. 21 para. 1 GDPR and there are no compelling legitimate grounds for the processing or you raised objection against the processing according to Art. 21 para. 2 GDPR.
  4. The personal data concerning you was illegitimately processed.
  5. The deletion of the personal data concerning you is required to fulfil a legal obligation according to EU regulations or the law of the member states the responsible entity is subject to.
  6. The personal data concerning you was recorded in regard to the offer of information society services according to Art. 8 para. 1 GDPR.

b) Information of a third party

When the responsible entity has made the personal data concerning you public and if he is obligated to delete them according to Art. 17 para. 1 GDPR, it shall take measures to inform other entities responsible for processing the personal data about the demand to delete all references to, copies and replications of this data set. This measure is chosen appropriately under the consideration of the available technology and cost of implementation, including measures of technical nature.

c) Exceptions

The right of deletion does not exist, as long as the processing is necessary

  1. due to exercise of the right of free speech and information;
  2. for the fulfilling of a legal obligation that requires processing of the data according to EU regulations or of the member states which the responsible entity is subject of or for the exercise of a task in the public interest or in fulfilling a public duty that was assigned to the responsible entity;
  3. because of public interest in the scope of public health according to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
  4. for archival purposes in the public interest, scientific or historic research or for statistical reasons according to Art. 89 para. 1 GDPR, as long as the obligations mentioned in section a) will presumably render the goals of the data processing impossible or seriously compromises them, or
  5. for the enforcement, exercise or defense of legal rights.

5. Right of instruction

If you have asserted the right of correction, deletion or limitation of the data processing on the responsible entity, it is obligated to instruct all recipients to which the data was disclosed to about this correction, deletion or limitation of processing unless this is impossible or requires a disproportionate effort.

You have the right to be informed by the responsible entity about these recipients.

6. Right of data transferability

You have the right to get the personal data concerning you that you provided the responsible entity with in a structured well-established and machine-readable form. In addition you the right to transfer this personal data to another responsible entity without obstruction by the responsible entity if

  1. the processing is based on a consent according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. 1 GDPR or on a contract according to Art. 6 para. 1 lit. b GDPR and
  2. the processing is performed by means of automated procedures.

In exercising this right you furthermore have the right to obtain that the personal data is directly transferred from one responsible entity to another one, as far as this is technically possible. Liberties and rights of other persons can’t be violated in this process.

The right data transferability is not applicable to the processing of personal data that is done in the scope of a task that is of public interest or in fulfilling a public duty that was assigned to the responsible entity.

7. Right of objection

You have the right to raise objections against the processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR at any time; this is also true for profiling based on the same grounds.

The responsible entity is not processing the personal data anymore unless it can present compelling legitimate grounds for the processing that overweight your interests, rights and liberties or the processing serves the enforcement, exercise or defense of legal rights.

If the personal data concerning you are processed to facilitate direct advertising, you have the right to raise objections against the processing of personal data for the purpose of direct advertising at any time; this also applies to the profiling, as long as it is connected to such direct advertising.

When you are raising objections against processing for the means of direct advertising, the personal data concerning you will no longer be processed for this purpose.

In this context of using the offer of information society services you have the option of raising your objections by means of automated procedures under the use of technical specifications; despite the regulation 2002/58/EG.

8. Right of revoking the data privacy consent

You have the right to revoke your data privacy consent at any time. By revoking the consent the legitimacy of the data processing from the consent to the revocation is untouched.

9. Automated decision in individual cases including profiling

You have the right to not be subjected to an automated decision – including profiling – that has legal consequences for you or otherwise compromises you significantly to a similar extent. This is not true if the decision

  1. is required for the conclusion or realization of a contract between you and the responsible entity,
  2. is allowed according to EU regulation or the law of the member states to which the responsible entity is a subject and these legal regulations contain appropriate measures to protect your rights and liberties as well as your legitimate interests or
  3. is made with your explicit consent.

Nevertheless these decisions must not be based on special categories of personal data according to Art. 9 para. 1 GDPR as long as Art. 9 para. 2 lit. a or g GDPR is not applicable and appropriate measures for the protection of the rights and liberties as well as your legitimate interests have been made.

Concerning the cases mentioned in 1. and 3. the responsible entity is taking appropriate measures to protect the rights and liberties as well as your legitimate interests, which includes at least the right to obtain intervention by a person from the responsible entity, the right of presenting your own views and the right to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Regardless of other administrative or legal remedies you have the right to lodge a complaint with a supervisory authority, in particular in the member country of your whereabouts, your workplace or the place of the alleged violation, if you are under the impression that the processing of the personal data concerning you is in violation of the GDPR.

The supervisory authority where the complaint was lodged is informing the applicant about the status and results of the complaint including the option of a legal remedy according to Art. 78 GDPR.