Privacy Policy

Preamble

With the following privacy policy, we inform you about the types of personal data (hereinafter “personal data”) we process, for what purposes and on what legal basis, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as the “online offering”).

The terms used are gender-neutral.

Last updated: 6 February 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Disclosure and Transfer of Personal Data
• International Data Transfers
• General Information on Retention and Erasure of Personal Data
• Rights of Data Subjects
• Performance of Tasks under the Articles of Association or Rules of Procedure
• Business Processes and Procedures
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Blogs and Publishing Media
• Contact and Inquiry Management
• Newsletters and Electronic Notifications
• Promotional Communication via Email, Post, Fax or Telephone
• Presences on Social Networks (Social Media)
• Amendments and Updates
• Definitions

Controller

Initiative Main Line for Europe e.V.
c/o City of Karlsruhe
Zähringerstraße 65
76133 Karlsruhe, Germany

Authorised representative(s): Annika Hummel

Email: annika.hummel@mainlineforeurope.org

Phone: +49 721 133 1873

Legal notice: https://mainlineforeurope.org/imprint/

Overview of Processing Activities

The following overview summarises the categories of personal data processed, the purposes of processing, and the categories of data subjects concerned.

Categories of personal data

• Inventory data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and procedural data.
• Log data.
• Member data.

Categories of data subjects

• Recipients of services and clients.
• Employees.
• Prospective customers / interested parties.
• Communication partners.
• Users.
• Members.
• Business and contractual partners.
• Donors.
• Third parties.

Purposes of processing

• Provision of contractual services and performance of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Office and organisational processes.
• Organisational and administrative processes.
• Feedback.
• Marketing.
• Provision of the online offering and user-friendliness.
• Information technology infrastructure.
• Donation collection / fundraising.
• Public relations and information purposes.
• Public relations.
• Sales promotion.
• Business processes and commercial/financial procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we rely when processing personal data. Please note that, in addition to the GDPR, national data protection laws may apply in your or our country of residence or establishment. If more specific legal bases are applicable in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Membership agreement (Articles of Association) (Art. 6(1)(b) GDPR).

National data protection provisions in Germany: In addition to the GDPR, national data protection provisions apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, inter alia, specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transfers, as well as automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of the individual German federal states may apply.

Note on applicability of the GDPR and the Swiss FADP: These privacy notices serve to provide information both under the Swiss Federal Act on Data Protection (FADP) and under the General Data Protection Regulation (GDPR). For this reason, and due to the broader territorial scope and comprehensibility, the terminology of the GDPR is used. In particular, the GDPR terms “processing” of “personal data”, “legitimate interest” and “special categories of data” are used instead of the terms used in the Swiss FADP. The legal meaning of these terms, however, continues to be determined under the Swiss FADP to the extent that it applies.

Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity and availability of personal data by controlling physical and electronic access to personal data, as well as access, input, disclosure, safeguarding availability and segregation. Furthermore, we have established procedures designed to ensure the exercise of data subject rights, the erasure of personal data, and responses to data compromise. In addition, we take the protection of personal data into account already in the development and/or selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect users’ personal data transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. These technologies encrypt information transmitted between the website or app and the user’s browser (or between servers), thereby protecting it from unauthorised access. TLS, as the further developed and more secure version of SSL, ensures that data transfers meet high security standards. The use of an SSL/TLS certificate is typically indicated by “HTTPS” in the URL.

Disclosure and Transfer of Personal Data

In the course of processing personal data, personal data may be transferred to, or disclosed to, other parties, companies, legally independent organisational units, or persons. Recipients may include, for example, service providers commissioned with IT-related tasks or providers of services and content integrated into a website. In such cases, we comply with the applicable legal requirements and, in particular, enter into suitable agreements (e.g. data processing agreements) with recipients to ensure the protection of personal data.

Internal disclosures: We may disclose personal data to other departments or organisational units within our organisation or grant them access to such data. Where such disclosure is made for administrative purposes, it is based on our legitimate business and commercial interests, or it is necessary for the performance of our contractual obligations, or it is carried out on the basis of consent or a legal permission.

International Data Transfers

Processing in third countries: Where we transfer personal data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where such a transfer occurs in the context of using third-party services or disclosing personal data to other persons, bodies or companies (which may be apparent from the postal address of the respective provider or an express reference in this privacy policy), such transfers are carried out in accordance with the applicable legal requirements.

For transfers to the United States, we primarily rely on the EU–US Data Privacy Framework (DPF), which has been recognised as an adequate legal framework by the European Commission’s adequacy decision of 10 July 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers in accordance with the requirements of the European Commission, which set out contractual obligations to protect personal data.

This dual-layer approach provides comprehensive safeguards: the DPF serves as the primary safeguard, while the SCCs provide additional protection. Should the DPF framework change, the SCCs will serve as a fallback mechanism. This ensures that personal data remains adequately protected even in the event of political or legal developments.

For each service provider, we inform you whether they are certified under the DPF and whether SCCs are in place. Further information about the DPF and a list of certified organisations can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English).

For transfers to other third countries, appropriate safeguards apply, in particular SCCs, explicit consent or transfers required by law. Information on third-country transfers and existing adequacy decisions is available from the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Retention and Erasure of Personal Data

We erase personal data in accordance with the applicable statutory provisions as soon as the consents on which processing is based are withdrawn or other legal bases cease to apply. This applies, for example, where the original purpose of processing no longer applies or the personal data is no longer required. Exceptions apply where statutory retention obligations or other compelling reasons require longer retention or archiving.

In particular, personal data that must be retained for commercial or tax law reasons or where retention is necessary for the establishment, exercise or defence of legal claims, or for the protection of the rights of other natural or legal persons, will be archived accordingly.

These privacy notices contain additional information on the retention and erasure of personal data that applies to specific processing operations.

Where multiple retention periods or erasure deadlines are stated, the longest period shall prevail. Personal data that is retained beyond the original purpose solely due to statutory obligations or other reasons will only be processed for the purposes justifying such retention.

Retention and erasure: The following general retention periods apply under German law:

• 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the work instructions and other organisational documents necessary for their understanding (§ 147(1) no. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) no. 1 in conjunction with (4) HGB).
• 8 years – accounting vouchers, such as invoices and expense receipts (§ 147(1) no. 4 and 4a in conjunction with (3) sentence 1 AO as well as § 257(1) no. 4 in conjunction with (4) HGB).
• 6 years – other business documents: received commercial or business letters, copies of sent commercial or business letters, and other documents insofar as they are relevant for taxation (e.g. wage slips, operating accounting sheets, calculation documents, price labels, as well as payroll documents insofar as they are not already accounting vouchers, and cash register tapes) (§ 147(1) nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) nos. 2 and 3 in conjunction with (4) HGB).
• 3 years – personal data required to consider potential warranty and damages claims or similar contractual claims and rights and to handle related inquiries is retained for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Commencement at the end of the year: Where a period does not expressly commence on a specific date and is at least one year, it generally commences at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships, the triggering event is the date on which termination becomes effective or otherwise the legal relationship ends.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have the following rights under the GDPR, in particular pursuant to Articles 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to the personal data and further information as well as a copy of the personal data in accordance with statutory provisions.
• Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you and, taking into account the purposes of processing, the completion of incomplete personal data.
• Right to erasure and restriction of processing: You have the right to request the erasure of personal data concerning you without undue delay or, alternatively, to request the restriction of processing in accordance with statutory provisions.
• Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to request its transmission to another controller, where technically feasible.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Performance of Tasks under the Articles of Association or Rules of Procedure

We process personal data of our members, supporters, interested parties, business partners or other persons (collectively “data subjects”) where we have a membership or other business relationship with them, and in order to perform our tasks as well as to receive services and contributions. In addition, we process personal data on the basis of our legitimate interests, e.g. where the processing relates to administrative tasks or public relations.

The personal data processed, the scope of processing, the purposes of processing and the necessity of processing are determined by the underlying membership or contractual relationship, which also determines the necessity of any data to be provided (we also indicate mandatory information where applicable).

We erase personal data that is no longer necessary for the pursuit of our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain personal data for as long as it may be relevant for the handling of business transactions and with regard to potential warranty or liability obligations, based on our legitimate interest in their settlement. The necessity of retention is reviewed on a regular basis; statutory retention obligations remain unaffected.

• Categories of personal data processed: Inventory data (e.g. full name, residential address, contact details, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Contract data (e.g. subject matter, term, customer category); Member data (e.g. personal details such as name, age, gender, contact details (email address, telephone number), membership number, information on membership fees, participation in events, etc.); Payment data (e.g. bank details, invoices, payment history); Content data (e.g. textual or visual messages and posts as well as related information such as authorship or time of creation).
• Categories of data subjects: Members; Interested parties; Communication partners; Donors; Third parties.
• Purposes of processing: Communication; Organisational and administrative processes; Public relations and information purposes; Business processes and commercial/financial procedures; Donation collection / fundraising.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract (membership agreement / Articles of Association) (Art. 6(1)(b) GDPR); Compliance with a legal obligation (Art. 6(1)(c) GDPR).

Further information on processing operations, procedures and services:

• Membership administration: This includes the acquisition and admission of new members, the development and implementation of member retention strategies and effective communication with members. This involves the collection and maintenance of member data, the regular updating of membership information and the administration of membership fees, including invoicing and settlement; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (membership agreement) (Art. 6(1)(b) GDPR).
• Contribution administration: This includes recording membership fee data following accession, tracking membership fee payments and updating payment status, processing payment transactions, issuing reminders for overdue payments, reconciling accounts in the context of receivables and liabilities, and maintaining corresponding books and records; Legal bases: Compliance with a legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (membership agreement) (Art. 6(1)(b) GDPR).
• Events and organisational operations: This includes planning, conducting and following up on events and operating statutory activities. Planning includes collecting and processing participant data, coordinating logistical requirements and defining the agenda. Conducting includes managing participant registration, updating participant information during the event and recording attendance and activities. Follow-up includes analysing participant data to evaluate success, preparing reports and archiving relevant event information. Organisational operations also include the administration of member data, communication with members and interested parties, and the organisation of internal meetings and sessions; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (membership agreement) (Art. 6(1)(b) GDPR).
• Public relations: This includes preparing and distributing information materials, maintaining contact data for press and media relations, and organising and conducting press conferences and public events. It also includes collecting and preparing information for press releases, newsletters, reports and other publications and distributing them via digital and traditional channels (including email distribution lists, websites and social media). The maintenance of contact data includes collecting and updating data of media contacts and other relevant stakeholders. Interaction takes place via direct communication with journalists, bloggers and other opinion leaders, answering inquiries and providing information; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (membership agreement) (Art. 6(1)(b) GDPR).
• Donation collection and fundraising: This includes planning and carrying out fundraising campaigns, administering donor data and communicating with donors and potential sponsors. Campaign planning includes developing strategies, defining objectives and selecting channels. Campaign execution includes implementing specific fundraising activities and collecting donations via online platforms, events and direct approaches. Donor data management includes collecting, updating and analysing data to optimise future campaigns. Communication includes personalised approaches, thank-you letters and regular updates on project outcomes and the use of funds; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (membership agreement) (Art. 6(1)(b) GDPR).

Business Processes and Procedures

Personal data of recipients of services and clients – including customers, clients or, in specific cases, principals, patients or business partners, as well as other third parties – is processed in the context of contractual and comparable legal relationships and pre-contractual measures, such as the initiation of business relationships. This processing supports and facilitates operational business processes in areas such as customer management, sales, payment transactions, accounting and project management.

The collected personal data is used to fulfil contractual obligations and to organise operational processes efficiently. This includes handling business transactions, managing customer relationships, optimising sales strategies and ensuring internal accounting and financial processes. In addition, processing supports safeguarding the rights of the controller and promotes administrative tasks as well as organisational management.

Personal data may be disclosed to third parties where this is necessary to achieve the purposes stated or to comply with statutory obligations. After statutory retention periods expire or where the purposes of processing no longer apply, the personal data will be erased. This also applies to personal data that must be retained for longer due to tax law or statutory documentation obligations.

• Categories of personal data processed: Inventory data; Payment data; Contact data; Content data; Contract data; Usage data; Meta, communication and procedural data; Log data.
• Categories of data subjects: Recipients of services and clients; Interested parties; Communication partners; Business and contractual partners; Users; Third parties; Employees.
• Purposes of processing: Provision of contractual services and performance of contractual obligations; Office and organisational processes; Business processes and commercial/financial procedures; Marketing; Sales promotion; Public relations; Information technology infrastructure.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal bases: Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• Marketing, advertising and sales promotion: Processes required for marketing, advertising and sales promotion (e.g. market analysis, determination of target groups, development of marketing strategies, planning and implementation of advertising campaigns, creation of advertising materials, online marketing including SEO and social media campaigns, event marketing, trade fair participation, customer loyalty programmes, performance measurement and optimisation, budget management and cost control); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Economic analyses and market research: For business purposes and to identify market trends and the preferences of contractual partners and users, data relating to business transactions, contracts, inquiries, etc. may be analysed. Data subjects may include contractual partners, interested parties, customers, visitors and users of the controller’s online offering. The analysis serves business evaluations, marketing and market research purposes (e.g. to identify customer groups with different characteristics). Where available, profiles of registered users, including information on services used, may be taken into account. Analyses are carried out solely for the controller and are not disclosed externally unless they are anonymous analyses with aggregated (anonymised) values. Users’ privacy is taken into account; data is processed in pseudonymised form where possible and anonymised where feasible (e.g. aggregated data); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Public relations: Processes required for public relations (e.g. development and implementation of communication strategies, planning and implementation of PR campaigns, preparation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organisation of press conferences and public events, crisis communication, creation of content for social media and corporate websites, corporate branding support); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Online Offering and Web Hosting

We process users’ personal data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to deliver the content and functions of our online services to the users’ browser or device.

• Categories of personal data processed: Usage data; Meta, communication and procedural data; Log data; Content data.
• Categories of data subjects: Users.
• Purposes of processing: Provision of the online offering and user-friendliness; Information technology infrastructure.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• Provision of the online offering on rented hosting resources: For the provision of the online offering, we use storage space, computing capacity and software which we rent or otherwise obtain from a hosting provider (“web host”); Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Email sending and hosting: Our hosting services also include the sending, receipt and storage of emails. For these purposes, the addresses of recipients and senders as well as further information relating to email transmission (e.g. the providers involved) and the content of the emails are processed. The aforementioned data may also be processed for the purpose of spam detection. Please note that emails are generally not encrypted end-to-end when transmitted over the internet. As a rule, emails are encrypted in transit, but (unless end-to-end encryption is used) not on the servers from which they are sent and received. We therefore cannot assume responsibility for the transmission path of emails between the sender and receipt on our server; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• webgo: Services in the field of information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: webgo GmbH, Wandsbeker Zollstr. 95, 22041 Hamburg, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.webgo.de/. Privacy policy: https://www.webgo.de/datenschutz/.

Use of Cookies

The term “cookies” refers to functions that store information on users’ end devices and read it from them. Cookies may be used for different purposes, such as ensuring functionality, security and convenience of the online offering and to analyse visitor flows. We use cookies in accordance with statutory requirements. Where required, we obtain users’ consent in advance. Where consent is not required, we rely on our legitimate interests, in particular where the storage and access to information is strictly necessary to provide expressly requested content and functions (e.g. storing settings or ensuring the functionality and security of the online offering). Consent may be withdrawn at any time. We provide clear information about the scope and the cookies used.

Legal bases under data protection law: Whether personal data is processed using cookies depends on consent. Where consent is given, it constitutes the legal basis. Where no consent is given, we rely on our legitimate interests as explained above and in the context of the respective services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest when a user leaves the online offering and closes their end device (e.g. browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the end device is closed. For example, login status may be stored and preferred content displayed directly when a user revisits a website. Usage data collected by cookies may also be used for reach measurement. Unless we provide explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies may be persistent and that the storage duration may be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw consent at any time and may also object to processing in accordance with statutory requirements, including via their browser’s privacy settings.

• Categories of personal data processed: Meta, communication and procedural data.
• Categories of data subjects: Users.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further information on processing operations, procedures and services:

• Processing of cookie data based on consent: We use a consent management solution to obtain, document, manage and withdraw users’ consent to the use of cookies or comparable technologies and to the processing operations and providers specified therein. As part of this procedure, users’ consents are obtained for the use of cookies and the associated processing of information. Users can manage and withdraw their consents. Consent declarations are stored to avoid repeated requests and to provide evidence of consent in accordance with legal requirements. Storage may take place server-side and/or by means of a cookie (so-called opt-in cookie) or comparable technologies in order to assign consent to a specific user or device. Where no provider-specific information is available, the following applies: consent may be stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, the scope of consent (e.g. categories of cookies and/or service providers) as well as information about the browser, system and end device used; Legal basis: Consent (Art. 6(1)(a) GDPR).
• BorlabsCookie: Storage and management of consents (consent to cookies and data processing), logging of user decisions, display of privacy and cookie notices, enabling the withdrawal or adjustment of consents by users; Service provider: operated under its own responsibility under data protection law; Website: https://de.borlabs.io/borlabs-cookie/. Further information: An individual user ID, language, types of consent and the time consent was given are stored server-side and in a cookie on the users’ device.

Blogs and Publishing Media

We use blogs or comparable means of online communication and publication (hereinafter the “publishing medium”). Readers’ personal data is processed for the purposes of the publishing medium only insofar as it is necessary for its presentation and for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on processing of visitors to our publishing medium within the scope of this privacy policy.

• Categories of personal data processed: Inventory data; Contact data; Content data; Usage data; Meta, communication and procedural data.
• Categories of data subjects: Users.
• Purposes of processing: Feedback; Provision of the online offering and user-friendliness; Security measures; Organisational and administrative processes.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• Comments and posts: Where users leave comments or other posts, we may store their IP addresses on the basis of our legitimate interests for security purposes, in particular where unlawful content is posted (e.g. insults, prohibited political propaganda). In such cases, we may be held liable for the content and therefore have an interest in identifying the author.

  We further reserve the right to process users’ data for spam detection on the basis of our legitimate interests.

  On the same legal basis, we may store users’ IP addresses for the duration of surveys and use cookies to prevent multiple voting.

  Personal data communicated in the context of comments and posts (e.g. contact data, website information and content) will be stored until the user objects; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

• Retrieval of WordPress emojis and smilies: Within our WordPress blog, graphic emojis (or smilies) are used to efficiently integrate content elements. These are obtained from external servers. The server providers process users’ IP addresses, which is necessary to transmit the emoji files to users’ browsers; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy; Data processing agreement: provided by the service provider. Third-country transfer mechanism: Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider).
• Gravatar profile pictures: We use the Gravatar service within our online offering, in particular in the blog.

  Gravatar is a service that allows users to register and store profile pictures and email addresses. Where users leave posts or comments on other online presences (especially blogs) using the respective email address, their profile pictures can be displayed next to the posts or comments. For this purpose, the email address provided by the user is transmitted in encrypted form to Gravatar to check whether a corresponding profile exists. This is the sole purpose of transmitting the email address. It is not used for other purposes and is deleted thereafter.

  The use of Gravatar is based on our legitimate interests, as it enables authors of posts and comments to personalise their contributions with a profile picture.

  As part of the display of the images, Gravatar processes users’ IP addresses, as this is necessary for communication between a browser and an online service.

  If users do not want an avatar linked to their email address on Gravatar to be displayed in comments, they should use an email address that is not registered with Gravatar. Users may also use an anonymous email address or no email address at all. Users can prevent the transfer of data by not using our comment system; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy; Data processing agreement: provided by the service provider. Third-country transfer mechanism: Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider).

• UpdraftPlus: Backup software and backup storage; Service provider: Simba Hosting Ltd., 11, Barringer Way, St. Neots, Cambs., PE19 1LW, United Kingdom; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://updraftplus.com/. Privacy policy: https://updraftplus.com/data-protection-and-privacy-centre/.

Contact and Inquiry Management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and within the scope of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the contact request and to handle any requested measures.

• Categories of personal data processed: Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as related information, such as authorship details or time of creation); Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved); Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Categories of data subjects: Communication partners; Recipients of services and clients; Users (e.g. website visitors, users of online services).
• Purposes of processing: Communication; Organisational and administrative processes; Feedback (e.g. collecting feedback via an online form); Provision of our online offering and user-friendliness; Direct marketing (e.g. by email or post).
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing operations, procedures and services:

• Contact form: When contacting us via our contact form, by email or through other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective request. This generally includes information such as name, contact details and, where applicable, further information communicated to us that is required for an appropriate handling of the request. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
• Elementor: Creation of online forms, collection and storage of the related user inputs; Service provider: Elementor Ltd., Tuval St 40, Ramat Gan, Israel; Legal bases: Performance of a contract and representing pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR); Website: https://elementor.com/features/form-builder/; Privacy policy: https://elementor.com/about/privacy/; Data processing agreement: https://elementor.com/terms/cloud-toc/elementor-data-processing-agreement/; Third-country transfer mechanism: Standard Contractual Clauses (https://elementor.com/terms/cloud-toc/elementor-data-processing-agreement/). Further information: https://elementor.com/trust/.
• CleverReach: Email dispatch and marketing automation services; Service provider: CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cleverreach.com/de; Privacy policy: https://www.cleverreach.com/de/datenschutz/. Data processing agreement: Provided by the service provider.

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter “newsletters”) only with the recipients’ consent or on the basis of a statutory permission. Where the content of the newsletter is specified as part of the subscription process, such content is decisive for the scope of the users’ consent. For subscribing to our newsletter, it is usually sufficient to provide your email address. However, in order to provide you with a personalised service, we may additionally ask for your name (for personal addressing in the newsletter) or further information where this is necessary for the purpose of the newsletter.

Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove that consent had previously been granted. Processing of this data is restricted to the purpose of a potential defence against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time. In case we are obliged to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (so-called “blocklist”).

The logging of the subscription process is carried out on the basis of our legitimate interests for the purpose of demonstrating that it was carried out properly. Where we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Content: Information about us, our services, campaigns and offers.

• Categories of personal data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved); Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Categories of data subjects: Communication partners; Users (e.g. website visitors, users of online services).
• Purposes of processing: Direct marketing (e.g. by email or post); Provision of contractual services and performance of contractual obligations.
• Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
• Opt-out option: You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent and/or object to further receipt. A link to unsubscribe can be found at the end of each newsletter. Alternatively, you can contact us using one of the contact options listed above, preferably by email.

Further information on processing operations, procedures and services:

• Measurement of open and click rates: Newsletters contain so-called web beacons, i.e. a pixel-sized file that is retrieved when the newsletter is opened from our server or, if we use a dispatch service provider, from their server. In the course of this retrieval, technical information is collected (e.g. information about the browser and your system), as well as your IP address and the time of retrieval. This information is used to technically improve our newsletter, to analyse target groups and their reading behaviour based on the retrieval locations (which may be determined using the IP address) or access times. This analysis also includes determining whether and when newsletters are opened and which links are clicked. The information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations help us recognise users’ reading habits and tailor our content to them or to send different content according to users’ interests. The measurement of open and click rates, as well as the storage of the measurement results in users’ profiles and any further processing, is carried out on the basis of users’ consent. A separate withdrawal of consent for performance measurement is not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, stored profile information will be deleted; Legal basis: Consent (Art. 6(1)(a) GDPR); Service provider: datenschutz nord GmbH, Sechslingspforte 2, 22087 Hamburg, Germany; Website: https://www.cleverreach.com. Privacy policy: https://www.cleverreach.com/de-de/datenschutz/.
• Condition for using free services: Consent to receive mailings may be made a prerequisite for using free services (e.g. access to certain content or participation in certain campaigns). If users wish to use the free service without subscribing to the newsletter, we ask that you contact us.
• CleverReach: Email dispatch and marketing automation services; Service provider: CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.cleverreach.com/de; Privacy policy: https://www.cleverreach.com/de/datenschutz/. Data processing agreement: Provided by the service provider.

Promotional Communication via Email, Post, Fax or Telephone

We process personal data for the purposes of promotional communication, which may be carried out via various channels such as email, telephone, post or fax in accordance with the applicable legal requirements.

Recipients have the right to withdraw any consent granted at any time or to object to promotional communication at any time free of charge using the contact options stated above.

Following withdrawal or objection, we store the data required to evidence the prior authorisation to contact or send materials for up to three years after the end of the year in which the withdrawal or objection occurred, on the basis of our legitimate interests. Processing of this data is restricted to the purpose of a potential defence against claims. On the basis of our legitimate interest in permanently observing withdrawals and/or objections, we also store the data required to prevent renewed contact (e.g. depending on the communication channel: email address, telephone number, name) in a suppression list.

• Categories of personal data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as related information, such as authorship details or time of creation).
• Categories of data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g. by email or post); Marketing; Sales promotion.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Presences on Social Networks (Social Media)

We maintain online presences within social networks and process users’ data in this context in order to communicate with users active there or to provide information about us.

Please note that users’ data may be processed outside the European Union. This may entail risks for users, as enforcement of users’ rights could be made more difficult, for example.

Furthermore, users’ data within social networks is typically processed for market research and advertising purposes. For example, usage profiles may be created based on users’ usage behaviour and resulting interests. Such profiles may in turn be used to place advertisements within and outside the networks that are presumed to correspond to users’ interests. For these purposes, cookies are generally stored on users’ devices, in which the usage behaviour and users’ interests are stored. In addition, data may also be stored in the usage profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the objection options (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

We also note that requests for information and the assertion of data subject rights can be most effectively made with the providers. Only the providers have access to the users’ data and can directly take appropriate measures and provide information. If you nevertheless require assistance, you can contact us.

• Categories of personal data processed: Contact data (e.g. postal and email addresses or telephone numbers); Content data (e.g. textual or visual messages and posts as well as related information, such as authorship details or time of creation); Usage data (e.g. page views and duration of stay, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Categories of data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Communication; Feedback (e.g. collecting feedback via an online form); Public relations.
• Retention and erasure: Erasure in accordance with the section “General Information on Retention and Erasure of Personal Data”.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

• Instagram: Social network enabling the sharing of photos and videos, commenting on and favouriting posts, messaging, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Third-country transfer mechanism: Data Privacy Framework (DPF).
• LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data used to create “Page Insights” (statistics) for our LinkedIn profiles. This data includes information on the types of content users view or interact with and the actions they take. Details about the devices used are also collected, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority, company size and employment status. Data protection information on LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

  We have concluded a specific agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular the security measures LinkedIn must observe and in which LinkedIn has agreed to comply with data subject rights (i.e. users may, for example, direct access or deletion requests to LinkedIn). Users’ rights (in particular the right of access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection and transmission of the data to LinkedIn Ireland Unlimited Company, a company established in the EU. The further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Third-country transfer mechanisms: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Amendments and Updates

We ask that you regularly review the content of our privacy policy. We amend the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or another individual notification.

Where we provide addresses and contact details of companies and organisations in this privacy policy, please note that such addresses may change over time. We therefore ask that you verify the information before making contact.

Definitions

This section provides an overview of the terminology used in this privacy policy. Where terms are legally defined, such statutory definitions shall apply. The following explanations are primarily intended to facilitate understanding.

• Employees: “Employees” means persons who are in an employment relationship, whether as staff members, employees or in comparable positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or an agreement. It includes the employer’s obligation to pay remuneration to the employee while the employee performs their work. The employment relationship comprises various phases, including its establishment (conclusion of the employment contract), performance (the employee carrying out their work activities) and termination, when the employment relationship ends, whether by notice of termination, termination agreement or otherwise. Employee data comprises all information relating to such persons in the context of their employment. This includes, for example, personal identification data, identification numbers, salary and banking data, working time data, vacation entitlements, health data and performance appraisals.
• Inventory data: Inventory data comprises essential information required for the identification and administration of contractual partners, user accounts, profiles and similar assignments. Such data may include, inter alia, personal and demographic information such as names, contact details (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between persons and services, organisations or systems by enabling clear assignment and communication.
• Content data: Content data comprises information generated in the course of creating, editing and publishing content of any kind. This category may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the content itself, but also includes metadata providing information about the content, such as tags, descriptions, author information and publication data.
• Contact data: Contact data means essential information enabling communication with individuals or organisations. This includes, inter alia, telephone numbers, postal addresses and email addresses, as well as communication identifiers such as social media handles and instant messaging identifiers.
• Meta, communication and procedural data: Meta, communication and procedural data are categories of information relating to how data is processed, transmitted and administered. Metadata (also referred to as “data about data”) comprises information describing the context, origin and structure of other data and may include, for example, file size details, date of creation, document author and revision history. Communication data records the exchange of information between users via various channels (e.g. email traffic, call logs, messages in social networks and chat histories), including the persons involved, timestamps and transmission routes. Procedural data describes processes and workflows within systems or organisations, including workflow documentation, logs of transactions and activities, as well as audit logs used to trace and review operations.
• Member data: Member data comprises information relating to individuals who are part of an organisation, association, online service or other group. Such data serves to administer memberships, facilitate communication and provide services or benefits associated with membership. Member data may include personal identification information, contact information, information on membership status and duration, membership fee payments, participation in events and activities, and preferences and interests. It may also include data on the use of the organisation’s offerings. The collection and processing of such data takes place in compliance with data protection law and serves both administrative handling and the promotion of member engagement and satisfaction.
• Usage data: Usage data refers to information that records how users interact with digital products, services or platforms. This data includes a wide range of information indicating how users use applications, which functions they prefer, how long they remain on certain pages and which paths they take through an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content and improving products or services. In addition, usage data plays an important role in identifying trends, preferences and potential problem areas within digital offerings.
• Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Log data: Log data comprises information about events or activities that have been logged within a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages and other details regarding the use or operation of a system. Log data is often used for analysing system issues, security monitoring or generating performance reports.
• Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, including collection, analysis, storage, transmission and erasure.
• Contract data: Contract data means specific information relating to the formalisation of an agreement between two or more parties. It documents the terms and conditions under which services or products are provided, exchanged or sold. This category of data is essential for the administration and performance of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the type of agreed services or products, pricing arrangements, payment terms, termination rights, renewal options and special terms or clauses. It serves as the legal basis for the relationship between the parties and is important for clarifying rights and obligations, enforcing claims and resolving disputes.
• Payment data: Payment data comprises all information required to process payment transactions between buyers and sellers. Such data is of particular importance for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction data, verification numbers and invoicing information. Payment data may also include information on payment status, chargebacks, authorisations and fees.