Privacy Policy

In this privacy policy, we inform you about the processing of your personal data in connection with the use of our website (www.zois-berlin.de/en). Personal data refers to information which relates to an identified or identifiable person. This includes, in particular, information which makes it possible to draw conclusions about your identity, such as, for example, your name, telephone number or e-mail address. However, certain identifiers, such as your IP address or the device ID of the end device you are using, also constitute personal data.

1. Data controller and point of contact

The responsible data controller

Within the meaning of the General Data Protection Regulation (GDPR), the point of contact and so-called data controller with responsibility for processing your personal data when visiting this website is the
Centre for East European and International Studies (ZOiS) gGmbH
Mohrenstraße 60
10117 Berlin

hereinafter referred to as: ‘ZOiS’, ‘we’ or ‘us’.

Telephone: +49 (30) 2005949-23
E-mail: datenschutz(at)zois-berlin(dot)de
For all queries regarding data protection in connection with our activities or the use of our website, please contact our data protection officer at any time. The data protection officer can be contacted at the above postal address and at the e-mail address given above (please write ‘FAO data protection officer’). We would like to point out that enquiries sent to this e-mail address will not be read solely by our data protection officer. Therefore, if you wish to exchange confidential information, please contact the officer directly via this email address in the first instance.

2. Data processing on our website

2.1 Visiting our website/connection data

Every time you use our website, we collect the data which your browser automatically transmits in order to enable you to visit our website. This connection data comprise the so-called HTTP header information, including the user agent, and include in particular:

  • The IP address of the software/browser that is making the request to the website;
  • Methods (e.g. GET, POST), date and time of request;
  • The address of the requested website and path of the requested file;
  • If applicable, the previously accessed website/file (HTTP referrer);
  • Information about the browser used and the operating system;
  • A version of the HTTP protocol, the HTTP status code, the size of the delivered file;
  • Request information such as language, type of content, encoding of content and character sets;
  • Cookies from the accessed domain which are stored on the end device.

This connection data must be processed to enable the website visit, to guarantee the permanent functionality and security of our systems, and to facilitate the general administrative maintenance of our website. For the purposes described above, the connection data is also stored – temporarily and limited to the most necessary content – in internal log files. This allows us to find the cause of and take action against repeated or criminal attempts to access our website that endanger its stability and security.

The legal basis for this data processing is Article 6(1)(b) GDPR, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Article 6(1)(f) GDPR due to our legitimate interest in enabling access to the website and ensuring the permanent functionality and security of our systems. However, the automatic transmission of the connection data and the log files developed on that basis do not amount to accessing information in the end device within the meaning of the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 TTDSG).

The log files are generally stored in abbreviated form with no direct personal reference for seven days. In exceptional cases, individual log files and IP addresses are kept for longer than that in order to prevent further attacks from a particular IP address in the event of cyber-attacks and/or to take legal action against the attackers.

2.2 Making contact

You can contact us by e-mail and by telephone. In this context, we only process your data for the purpose of communicating with you.

The legal basis for this processing is Article 6(1)(b) GDPR, insofar as your details are required to answer your question or to initiate or execute a contract, and otherwise Article 6(1)(f) GDPR due to our legitimate interest in enabling you to contact us and responding to your query.

The data we collect when you contact us will be automatically deleted after we have fully processed your enquiry, unless we still need your enquiry to fulfil contractual or legal obligations (see section 7 ‘Storage period’).

2.3 Newsletter

You have the opportunity to subscribe to our newsletter in which we regularly inform you about new developments and events.

2.3.1 Subscribing to the ZOiS Newsletter

For subscriptions to our newsletter, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail after you click on a link in our notification e-mail to confirm that this is your e-mail address. Provided you confirm that this is your e-mail address, we save it along with the time of registration and the IP address used for registration until such time as you unsubscribe from the newsletter. We store this information solely for the purpose of sending you the newsletter and proving that you have registered. In addition, we check whether our newsletter can in fact be delivered.

The legal basis for this data processing is Article 6(1)(a) GDPR. You can revoke your consent at any time with future effect by unsubscribing from the newsletter. A corresponding unsubscribe link can be found in every newsletter. A notification to this effect sent via e-mail or letter to the addresses specified above or in the newsletter would also suffice.

2.3.2 Newsletter tracking

We want to use our newsletter to share the most relevant possible content with our subscribers and better understand what actually interests them. That is why we use customary technologies for measuring interactions with the newsletter (e.g. opening the e-mail, links clicked). We pseudonymise this data for general statistical evaluations and for the optimisation and further development of our content and communications with subscribers. To this end, we use tiny graphic elements embedded in the newsletter (pixels), which establish a connection with the image server when the e-mail is opened. In addition, we use links where we first register a click on this link and only then redirect the user to the desired target page.

The legal basis for this is your consent in accordance with Article 6(1)(a) GDPR. You can revoke your consent to the analysis of your usage behaviour at any time with future effect by unsubscribing from the newsletter. You can also prevent the measurement of your email opening rate by deactivating graphics or the output of HTML content in your e-mail programme by default.

2.4 Job applications

You are welcome to apply for open positions at ZOiS. In this case, the purpose of data collection is the selection of applicants with a view to the potential establishment of an employment relationship. In the course of receiving and processing your application, we process the following personal data in particular (hereinafter ‘application data’):

  • First and last name;
  • E-mail address, telephone number;
  • Application documents (e.g. certificates, CV);
  • Date of earliest possible job start;
  • Salary expectation.

The legal basis for processing your application data is Article 6(1)(b) and Article 88(1) GDPR in conjunction with Section 26 (1) p. 1 of the Federal Data Protection Act (BDSG).

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is subsequently established, we store your application data for as long as necessary for the employment relationship and insofar as legal regulations require this.

If we reject your application, we will store your application data for a maximum of six months after rejecting your application, unless you give us your consent to store it for longer. If you have given us your consent separately in accordance with Article 6(1)(a) GDPR, we will store your application data after the end of the application process in order to be able to identify any other interesting positions for you and approach you again if necessary. After expiry of the deadline, the data will be deleted. You can revoke your consent at any time with future effect.

You can find further information in the Data protection information for applicants.

3. Use of tools on the website

3.1 Technologies used

This website uses various services and applications (referred to collectively as ‘tools’), which are provided either by us or by third parties. This includes, in particular, tools that use technologies to store or access information in the end device:

  • Cookies: information stored on the end device, consisting in particular of a name, a value, the storing domain and an expiry date. Session cookies (e.g. PHPSESSID) are deleted after the session, while persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
  • Web storage (local storage/session storage): information stored on the end device, consisting in particular of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiry date and generally continues to be stored unless a mechanism for deletion has been set up (e.g. storage of a local storage with time entry). Information in the local and session storage can also be removed manually.
  • JavaScript: programming codes (scripts) embedded in or accessed from the website which, for example, set cookies and web storage or actively collect information from the end device or about the usage behaviour of the visitor. JavaScript can be used for ‘active fingerprinting’ and usage profiling. JavaScript can be blocked by a setting in the browser, although most services will then no longer function.

With the help of these technologies and also through the mere establishment of a connection on a page, so-called ‘fingerprints can be created, i.e. usage profiles that do not require the use of cookies or web storage and can still recognise visitors. Fingerprints due to connection establishment cannot be completely prevented manually.

Most browsers are set by default to accept cookies, run scripts and display graphics. However, you can usually adjust your browser settings to reject all or certain cookies or block scripts and graphics. If you completely reject cookies and block graphics and scripts, our services will probably not work or not work properly.

In what follows, we list the tools we use by category, informing you in particular about the providers of the tools, the storage period foreseen for the cookies or information in local storage and session storage, and the transfer of data to third parties. We also explain the cases in which we obtain your voluntary consent to use the tools and how you can revoke it.

3.2  Legal basis and revocation

3.2.1 Legal basis

We use tools necessary for the operation of our website on the basis of our legitimate interest in ensuring the basic functions of our website pursuant to Article 6(1)(f) GDPR. In certain cases, these tools may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Article 6(1)(b) GDPR. Access to and the storage of information in the end device is absolutely necessary in these cases and takes place on the basis of the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 2 TTDSG).

Our use of all other optional tools with additional functions is based on your consent in accordance with Article 6(1)(a) GDPR. Access to and the storage of information in the end device then takes place on the basis of the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG). Data is processed using these tools only if we have received your consent in advance.

If personal data is transferred to third countries (e.g. the USA), we refer you to section 6 of this policy, also with regard to the risks this may entail: ‘Data transfer to third countries’. We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have consented to the use of certain tools and to the associated transfer of your personal data to third countries, we (also) transfer the data processed when using the tools to third countries on the basis of this consent pursuant to Article 49(1)(a) GDPR.

3.2.2 Obtaining your consent

For the collection and management of your consents, we use the Cookieman tool of the TYPO3 Association, Gewerbestraße 10, CH-4450 Sissach, Switzerland (‘Cookieman’). This generates a banner informing you of the data processing on our website, which gives you the option of consenting to all, some or no data processing with optional tools. This banner appears the first time you visit our website and when you revisit your settings to change them or withdraw consents. The banner will also appear on further visits to our website if you have deactivated the storage of cookies or if the cookies or information in Cookieman’s local storage have been deleted or have expired.

Cookieman stores the necessary information on your end device to document the consent and revocation you have given (Cookie ‘CookieConsent’ - storage period 1 year).

Data processing by Cookieman is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of Cookieman is Article 6(1)(f) GDPR, on the basis of our legitimate interest in fulfilling the statutory requirements for consent management. Access to and the storage of information in the end device is absolutely necessary in these cases and takes place on the basis of the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 2 TTDSG).

3.2.3 Revoking your consent or changing your selection

Consent-Management
You can revoke your consent for certain tools, i.e. for the storage of and access to information in the end device, the processing of your personal data and the transfer of your data to third countries, at any time with future effect. To do so, click on the link "Privacy" in the footer of this website. There, you can also change the selection of tools you wish to consent to using and obtain additional information on the tools used. Alternatively, you can assert your revocation for certain tools directly with the provider.

3.3 Necessary own tools

We use our own necessary tools (list tools) to access or store information on the end device, in particular

  • To save your language settings,
  • To register that you have already been shown information placed on our website – so that this is not shown again on your next visit to the website.

To enable the basic functions of our website (‘necessary tools’). Without these tools we could not provide our service. Therefore, necessary tools are used without obtaining your consent.

We use necessary tools for the operation of our website on the basis of our legitimate interest in ensuring the basic functions of our website pursuant to Article 6(1)(f) GDPR. In those cases where the provision of the respective website functions is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, data processing is carried out in accordance with Article 6(1)(b) GDPR. Access to and the storage of information in the end device is absolutely necessary in these cases and takes place on the basis of the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 2 TTDSG).

In the event that personal data is transferred to third countries (such as the USA), we refer to section 6 of this policy in addition to the information provided below: ‘Data transfer to third countries’.

3.4 Functional tools

We also use optional tools to improve our website’s user experience and to provide you with more features (‘functional tools’). While these tools are not essential to support the website’s basic functions, they can offer users significant benefits, mainly as regards the provision of additional communication channels. This may include, in particular, the embedding of external content such as videos.

The legal basis for this use of functional tools is your consent in accordance with Article 6(1)(a) GDPR, which you submit via the consent banner or the tool itself by allowing the use of the tool individually via an overlay. Access to and storage of information on the end device are then governed by the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG). For information on revoking your consent, see Section 3.2.3: ‘Revoking your consent or changing your selection’.

In cases where personal data is transferred to third countries (e.g. the USA), your consent explicitly extends to this data transfer as well (Article 49(1)(a) GDPR). For information about the risks involved, please refer to Section 6: ‘Data transfer to third countries’.

YouTube videos

We have embedded videos in our website; these videos are stored by YouTube and can be played back from our website. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (‘YouTube’) and supplied to users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively known as ‘Google’). YouTube may place items of information such as cookies and local storage and session storage data on your end device; it may also execute the JavaScript function, which accesses information on your device.

We have enabled YouTube’s privacy-enhanced mode. According to its own documentation, this means that Google then receives less usage information from YouTube and its video recommendations and advertisements will be non-personalised. However, cookies will continue to be placed and data stored in the local storage and session storage on your end device, including, in particular, your device ID and other information relating to video playback, which can be accessed by Google. The specific information that will be stored/read depends on various factors, principally whether you are already logged into your YouTube account when accessing our pages and which browser you are using.

The following cookies may be placed by YouTube:

  • “PREF” (8 months): used to store your preferences like autoplay choices and player size.

The following cookies may be placed in your device’s local storage:

  • “yt-remote-device-id”: stores the device ID;
  • “yt-player-headers-readable”: stores the option to read the player header information;
  • “yt.innertube::requests”: stores the user’s requests;
  • “yt.innertube::nextId”: stores the ID of the next video;
  • “yt-remote-connected-devices”: stores the connected end devices;
  • “yt-player-bandwidth”: stores the connection bandwidth;
  • “yt-player-volume”: stores volume preferences;
  • “yt-player-quality”: stores the video quality/resolution;
  • “yt-player-performance-cap”: stores possible performance cap based on connection bandwidth;
  • “yt-html5-player-modules::subtitlesModuleData::module-enabled”: stores whether subtitles are enabled.

The following cookies may be stored in session storage:

  • “yt-remote-session-app”: stores the type of end device;
  • “yt-remote-cast-installed”: stores whether YouTube streaming is installed;
  • “yt-remote-session-name”: stores the type of end device;
  • “yt-remote-cast-available”: stores whether YouTube streaming is available;
  • “yt-remote-fast-check-period”: stores the check on the connection bandwidth;
  • “yt-player-volume”: stores volume preferences;
  • “yt-player-caption-language-preferences”: stores the language of subtitles.

The legal basis for this data processing is your consent in accordance with Article 6(1)(a) GDPR. Access to and storage of information on the end device are then governed by the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG). The transfer of your data to the USA and other third countries requires your explicit consent under Article 49(1)(a) GDPR.

When you visit our website, YouTube and Google will be notified that you have accessed the corresponding page of our website. This takes place whether or not you are logged into YouTube or Google. YouTube and Google use this data for advertising and market research purposes and in order to tailor their services to identified needs. If you access YouTube from our website while you are logged into your YouTube or Google account, YouTube and Google will be able to associate this event with your corresponding profile. To avoid this, you must log out of Google before accessing our website.

In addition to your right to revoke your consent, you have the option to disable personalised advertising in Google’s Ad Settings. In this case, Google will display non-personalised advertisements only: https://adssettings.google.com/notarget.

For further information, please refer to the Google Privacy Policy, which is also applicable to YouTube: https://policies.google.com/privacy.

Datawrapper

Our website uses the visualisation service Datawrapper, which is offered by Datawrapper GmbH, Raumerstraße 39, 10437 Berlin.

Datawrapper is an online tool for creating and visualising data in the form of interactive charts, maps and graphics. It enables us to visualise and share data. We use Datawrapper to incorporate geographical locations into an interactive map. The processing of data by Datawrapper is based on the legitimate interest pursuant to Art. 6(1) (f) GDPR to provide users with a user-friendly way to create and visualise data.

The following data is processed in the use of Datawrapper:

  • Technical data, including the IP address, the browser, the operating system, the date and the time of access
  • Data for visualisation, including charts, maps and graphics

The data is only required for the technical implementation of the embedding and is deleted from all systems after a maximum of 24 hours. The processed data is used exclusively for the purpose of providing and optimising the Datawrapper service and creating the desired data visualisation. The data will not be passed on to third parties unless this is required by law.

Further information on data protection at Datawrapper can be found at https://www.datawrapper.de/privacy.

3.5 Analytics: Matomo

In order to improve our website, we use optional tools (‘analytics’) to log visitors and to collect statistics and analyse general user behaviour based on access data. We also use analytics services to evaluate usage of our various marketing channels. The usage information collected is aggregated and processed, enabling us to gain insights into our visitors’ usage habits. This assists us to adapt and optimise the design of our website and enhance the user experience.

The legal basis for the use of analytics is your consent in accordance with Article 6(1)(a) GDPR. Access to and storage of information on the end device are then governed by the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG). For information on revoking your consent, see Section 3.2.3: ‘Revoking your consent or changing your selection’.

In cases where personal data is transferred to third countries (e.g. the USA), your consent explicitly extends to this data transfer as well (Article 49(1)(a) GDPR). For information about the risks involved, please refer to Section 6: ‘Data transfer to third countries’.

Matomo

This website uses Matomo (formerly known as Piwik), an open-source analytics platform which can be used for statistical analysis of visits to our website. Matomo is operated on our webspace (on-premise) by our service provider wegewerk (wegewerk GmbH, Saarbrücker Str. 24, 10405 Berlin). JavaScript and cookies are used.

We have enabled the following privacy settings in Matomo:

  • IP Anonymisation (abbreviation of the IP address before analysis in order to protect your identity);
  • Processing (particularly geolocation) and storage of your visit using the anonymised IP address only;
  • Automatic deletion of old visitor logs/limit on duration of storage;
  • Respect Do Not Track preference.

The following data may be stored in the user log together with a pseudonymised user ID:

  • Anonymised IP address;
  • Referrer URL (address of page that directed the user to our website);
  • Pages accessed (date, time, URL, heading, duration of view);
  • Downloads;
  • Clicked links to other websites;
  • If relevant, end goals achieved (conversions);
  • Technical information: operating system; browser type, version and language; device type, make, model, resolution;
  • Approximate location (country and possibly city, based on anonymised IP address).

While Matomo is in use, the following cookies are placed on your device for the specified purpose and storage periods:

  • “_pk_id” (13 months): used to store user ID;
  • “_pk_ref” (6 months): used to store information about the referrer URL;
  • “_pk_ses”, “_pk_cvar”, “_pk_hsr” (30 minutes): used to temporarily store usage data;
  • If relevant, “mtm_consent”, “mtm_cookie_consent” (30 years): used to remember that consent was given by the user.

The legal basis for this data processing is your consent in accordance with Article 6(1)(a) GDPR. Access to and storage of information on the end device are then governed by the national laws developed by EU member states for the purpose of transposing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG).

For further information, please refer to Matomo’s Privacy notice: https://matomo.org/privacy/

3.6 Marketing tools 

We also use optional tools for advertising purposes (‘Marketing Tools’). Some of the access data generated when using our website is used to create usage profiles, which store in particular your usage behaviour, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences. By analysing and evaluating this access data, we are able to present you with personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites and services of other providers. We also analyse your usage behaviour in order to recognise you on other pages and to address you in a personalised manner based on your use of our site (so-called retargeting). In addition, we evaluate the effectiveness and success of our advertising campaigns (especially so-called conversions and leads).

Marketing tools also include optional social network tools that are used to share posts and content via these networks (‘social media plugins’).

The legal basis for the marketing tools is your consent in accordance with Article 6(1)(a) GDPR, which you submit via the consent banner or the tool itself by allowing the use of the tool individually via an overlay. Access to and the storage of information in the end device then takes place on the basis of the national laws developed by EU member states for the purpose of implementing the ePrivacy Directive (in Germany, Section 25 paragraph 1 TTDSG). For revocation of your consent, see 3.2.3: Revoking your consent or changing your selection

In cases where personal data is transferred to third countries (e.g. the USA), your consent explicitly extends to this data transfer as well (Article 49(1)(a) GDPR). For information about the risks involved, please refer to Section 6: ‘Data transfer to third countries’.

4. Online presence in social networks

We maintain an online presence in social networks, among other things in order to communicate with users and inform them about our activities. These social networks generally process users’ data for market research and advertising purposes. In this way, user profiles can be compiled on the basis of users’ interests. Cookies and other identifiers are stored on the data subjects’ devices for this purpose. Based on these profiles, advertisements, for example, can then be placed on these social networks and on third-party websites.

During the operation of our online presence, we may, on occasion, be able to access information provided by the social networks, such as statistics on the use of our online presence. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) and data about interactions with our online presence (e.g. likes, subscriptions, shares, views of images and videos) and related posts and content. These in turn may reveal information about users’ interests and indicate which content and topics are particularly relevant to them. We may also use this information in order to adapt the design, activities and content of our online presence and optimise them for our audience. Please refer to the list below for details and links relating to the social network data that we are able to access as an operator of an online presence. The collection and use of these statistics are generally subject to joint controllership. The relevant contract, where applicable, is stated below.

The legal basis for this data processing is Article 6(1)(f) GDPR for the purposes of our legitimate interest in effective provision of information and communication with users.

If you have an account with the social network, we may be able to view your publicly available information and media when we access your profile. Furthermore, the social network may, under certain circumstances, enable us to make contact with you, e.g. via direct messaging or posts. The communication of content via the social network and the processing of content-related data are subject to the controllership of the social network as the messaging and platform service.

For information about the legal basis for data processing by the social networks under their controllership, please refer to the privacy notice of the social network concerned. Further information on this data processing and on opportunities to lodge objections is available via the links below.

We would point out that the most efficient way to obtain an answer to data protection enquiries is to contact the social network provider concerned, as only the providers have access to the data and are in a position to take the appropriate measures. You may, of course, bring the matter to our attention as well. In this case, we will process your enquiry and forward it to the relevant social network provider.

Below, we provide a list with information about the social networks on which we maintain an online presence:

5. Transfer of data

In principle, data collected by us is passed on only if, in the specific case, a legal basis for doing so exists in data protection law, in particular if:

  • you have given your explicit consent to the transfer in accordance with Article 6(1)(a) GDPR,
  • the forwarding of the data in accordance with Article 6(1)(f) GDPR is necessary for the establishment, exercise or defence of legal claims and there are no grounds to assume that you have an overriding interest, which requires protection, in preventing the onward transmission of your data,
  • we have a statutory obligation to pass on the data in accordance with Article 6(1)(c) GDPR; this applies particularly if, on the grounds of requests from public authorities, judicial decisions or legal proceedings, this is necessary for the pursuit or enforcement of justice,
  • this is authorised by law and, in accordance with Article 6(1)(b) GDPR, is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.

Some of the data processing may be undertaken by our service providers. In addition to those mentioned in this Privacy Policy, these service providers may include, in particular, computer centres which store our website and databases, software providers, IT service providers who service our systems, agencies, market research companies, affiliated companies and consultancy firms. If we pass on data to our service providers, they must use the data solely for the performance of their tasks. We have carefully chosen and commissioned the service providers. They are contractually bound by our instructions, have put in place appropriate technical and organisational measures for the protection of the rights of the data subjects and are regularly checked by us.

6. Data transfer to third countries

As stated in this Privacy Policy, we use services whose providers, in some cases, are located in third countries (outside the European Union and the European Economic Area) or process personal data there; these are countries whose level of data protection may not reach the level applicable in the European Union. Insofar as this is the case and the European Commission has not adopted an adequacy decision in respect of these countries (Article 45 GDPR), we have taken corresponding measures to ensure an adequate level of data protection for any transfer of data that may be made. These measures include the European Union’s standard contractual clauses and binding corporate rules.

If this is not possible, we base the data transfer on derogations under Article 49 GDPR, particularly your explicit consent or the necessity of the transfer for the performance of a contract or the implementation of pre-contractual measures.

Insofar as transfer to a third country is envisaged and no adequacy decision or appropriate guarantees are available, there is both a possibility and a risk that public authorities in the third country concerned (e.g. intelligence services) may gain access to the transferred data for the purposes of data-gathering and analysis and that the enforceability of your rights as the data subject may not be guaranteed. Information on this topic will be provided to you when you give your consent via the consent banner.

7. Storage duration

In principle, we only store personal data for as long as is necessary for the fulfilment of the purposes for which we collected the data. After this, we delete the data without undue delay unless we still require the data until the expiry of the statutory limitation period for purposes of proof for civil law claims or due to statutory periods of safekeeping, or if, in the specific case at hand, another legal basis exists in data protection law justifying the continued processing of your data.

We are obliged to store contractual data, in particular, for purposes of proof for three years after the end of the year in which the business relationship with you ends. Any claims lapse at this point in time, at the earliest, following the usual statutory limitation period.

Even after this time, we are required to store some of your data for accounting reasons. We have an obligation to do so due to statutory duties of documentation, which may arise, for example, from the Commercial Code or the German Fiscal Code. The time-limits prescribed therein for the safekeeping of documents are between two and ten years.

8. Your rights, particularly revocation and objection

As the data subject, you may, at any time, assert the following rights, as provided for in Article 7(3), Articles 15–21 and Article 77 GDPR, provided that the relevant legal requirements are met:

  • Right to withdraw your consent (Article 7(3) GDPR);
  • Right to object to the processing of your personal data (Article 21 GDPR);
  • Right to information about the processing of your personal data by us (Article 15 GDPR);
  • Right to rectification of inaccurate personal data concerning you and stored by us (Article 16 GDPR);
  • Right to erasure of your personal data (Article 17 GDPR);
  • Right to restriction of processing of your personal data (Article 18 GDPR);
  • Right to portability of your personal data (Article 20 GDPR);
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR).

In order to assert your rights described here, you may, at any time, make use of the contact details provided above. The same applies if you wish to receive copies of guarantees proving an adequate level of data protection. Provided that the relevant legal requirements are met, we will comply with your data protection request.

Your requests to assert your data protection rights and our replies will be held in safekeeping for a period of up to three years for documentation purposes and occasionally, in individual cases, for longer periods for the establishment, exercise or defence of legal claims. The legal basis is Article 6(1)(f) GDPR for the purposes of our interest in mounting a defence against any civil law claims (Article 82 GDPR), avoiding administrative fines (Article 83 GDPR) and fulfilling our duty of accountability (Article 5(2) GDPR). 


You have the right to revoke consent already granted in relation to us at any time. This has the consequence that we will no longer continue the data processing based on this consent for the future. Revocation of the consent does not affect the lawfulness of the processing which took place in the past on the basis of the consent until the time of revocation.

Insofar as we process your data for the purposes of our legitimate interests, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data. Where personal data are processed for direct marketing purposes, you have a general right of objection which we will also respect even without a statement of reasons.

If you wish to assert your right of revocation or objection, simply notify us using the contact details provided.


You also have the right to lodge a complaint with a supervisory authority responsible for data protection. You may, for example, exercise this right by lodging a complaint with a supervisory authority in the member state of your habitual residence, place of work or place of the alleged infringement. In Berlin, where ZOiS is based, the supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information: Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin.

9. Changes to this Privacy Policy

We occasionally update this Privacy Policy, for example if we make changes to our website or if the relevant statutory or administrative provisions have been amended.

 


Archive

 

Earlier verions of the ZOiS Data Protection Declaration

Version 1 / June 2017