Privacy Policy

Our privacy policy was last changed on January 01, 2019.

General remarks

Thank you for your interest in our privacy policy. We are glad that you are interested in how we process your data.

We are committed to privacy, so we have designed our services from the ground up to collect as little data as possible. We also try our best to keep data processing at a minimum.
Most features on our websites will be executed entirely on your own computer, so the data you enter will never even reach our servers. Furthermore, our websites can only be accessed via a TLS-encrypted connection to ensure that your connection to our server cannot be compromised by third parties.
To exercise your privacy rights, we of course recommend using our generator which will help you generate the appropriate requests for free.

In this privacy policy, we would like to explain to you what data we collect and what rights you have.

Scope

This privacy policy applies to all activities of Datenanfragen.de e. V. (“the association”).

This includes the data we collect and process from our member but also the data that is incurred from donations and the like.

In addition, this includes the websites Datenanfragen.de and datarequests.org, as well as verein.datenanfragen.de.

The association’s purpose is to support the general public in excercising their right to privacy (“right to informational self-determination”) by informing and advising them with all questions regarding personal data protection. We are bound by our constitution in all our activities.

With our websites Datenanfragen.de and datarequests.org, we want to help you exercise your right to privacy. In order to do so, we offer a generator that helps you automatically generate requests, a company database with contact data for privacy-related requests to many companies and educational material on subjects related to privacy and data protection.
Finally, the website verein.datenanfragen.de has information on the association and allows you to join or donate among other things.

Controller and contact information

The controller as defined in Art. 4(7) GDPR for the services mentioned under “Scope” is:

Datenanfragen.de e. V.
Schreinerweg 6
38126 Braunschweig
Germany

Legally represented by: Benjamin Altpeter and Lorenz Sieben
Datenanfragen.de e. V. is a non-profit listed in the register of associations of the district court of Braunschweig, under the registration number VR 201732, and recognized as a charitable organisation by the Braunschweig-Wilhelmstraße tax office.

Phone: +49 531 209299 35
Fax: +49 531 209299 36
Email: privacy@datenanfragen.de (PGP key CC13 973A F8FD 11D1 4D94 98A8 0269 92F0 CF2C BB2E)
Web: verein.datenanfragen.de

If you have any questions about our privacy policy, believe that we are in violation of data protection laws or wish to assert your rights, please feel free to contact us at any time.

Do Not Track

We respect the Do Not Track (DNT) option that you can set in your browser. If you have enabled it, we will deactivate all telemetry (currently there is none but we may implement privacy-friendly telemetry in the future).

We also recommend that you install Privacy Badger, a free and open source browser extension that sets the DNT header for you and automatically blocks websites that do not adhere to it.

Profiling

We do not use profiling or any other type of automated decision making.

Collected data

To fulfill our association’s purpose, to operate our website and to provide our services, we have to collect and process some personal data. Our top priority is to minimise data collection and processing: We only collect personal data where it is necessary and only to the extent that it is necessary. In addition, data is always collected for a specific purpose and storage is limited to the necessary period of time.

In order to give you the greatest possible control over your privacy, you can set whether you want to activate many functions of our websites at any time via our privacy controls. A cookie is stored in your browser for each option. It only contains an indication as to whether you have activated or deactivated the respective option, but no personal data.

In this section we would like to explain to you exactly under which circumstances we collect and process which data. Not listed here are the processings that take place exclusively on your own computer and for which no data is transferred to us. You can find further information about these in the above mentioned privacy controls.

Data we collect automatically

Server log files

When you visit one of our websites, your browser connects to a server run by Netlify, Inc., 610 22nd Street, Suite 315, San Francisco, CA 94107, USA. This server will store some information about the connection in a so-called log file. We have no access to these log files. To find out more about how Netlify processes your data, have a look at their privacy policy.

In addition to that, some of the files on our website are requested from servers run by Amazon Web Services EMEA SARL, 5 rue Plaetis, L-2338 Luxembourg, Luxembourg (the authorized representative of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA in the European economic area). These servers may collect aggregated statistics on how the services are used. While have have access to these statistics, we cannot influence whether or how they are collected.
Amazon Web Services, Inc. is certified under the US-European “Privacy Shield” framework, which ensures that the EU data protection level is maintained, through Amazon.com, Inc.. For more information on how Amazon Web Services processes your data, please refer to their data privacy FAQ.

  • Affected data: the specific page you visited, the date and time of your visit, the origin of your request (the so-called “referrer”), information about your browser and operating system (the so-called “user-agent string”), your country and your IP address
  • Lawful basis: The data is stored on the basis of our (and our hosting partners’) legitimate interest in improving the stability and functionality of the servers in use in accordance with Art. 6(1) lit. f GDPR.
  • Duration of storage: 30 days for Netlify; 60 days for Amazon Web Services

Data you provide to us

User content (like comments and contributions to our company database)

If you post content on datarequests.org (like comments or contributions to our company database), it may contain personal data. The disclosure of this data is entirely voluntary for you. Not providing it has no influence on your use of our website.

  • Affected data: the data you provide in your contribution
  • Lawful basis: The basis of the storage is our legitimate interest to display the user contributions on our website in accordance with Art. 6(1) lit. a GDPR.
  • Duration of storage: indefinitely
  • Data disclosure: User content is publicly accessible via our website.

Error reports

If you report an error to us, your report may contain personal data. The disclosure of this data is entirely voluntary for you. Not providing it has no influence on your use of our website.

  • Affected data: information about the error that occurred, information about your browser and operating system (the so-called “user-agent string”), the complete URL of the specific page you were visiting when the error occurred and potentially data you entered on that page
    We will always display all the information included in the report to you before you send it and give you the ability to alter or remove information from it.
  • Lawful basis: The basis of the storage is our legitimate interest to improve the stability and functionality of our website in accordance with Art. 6(1) lit. a GDPR.
  • Duration of storage: indefinitely
  • Data disclosure: The content of error reports may be publicly accessible via our GitHub issue tracker.
    GitHub is operated by GitHub, Inc., 88 Colin P Kelly Jr Street, San Francisco, CA 94107, USA or their subsidiary GitHub BV, Vijzelstraat 68 – 72, 1017 HL Amsterdam, Netherlands. For more information on how GitHub processes your data, please refer to their privacy policy. GitHub, Inc. is certified under the US-European “Privacy Shield” framework, which ensures that the EU data protection level is maintained.

Membership applications

If you want to become a member of the association, you need to provide some data through the membership application form. This data is necessary for our records and for us to be able to contact you with important information regarding your membership (like invitations to the general assembly, donation receipts or payment reminders).

Providing this data is necessary for us to fulfill our obligations laid down in our constitution and the law. Thus, you can unfortunately not become a member of Datenanfragen.de e. V. without providing said data.

  • Affected data: Your name, the contact details you provided (an email address with an optional PGP key, as well as also optionally a postal mail address), the kind of membership (active or supporting membership) and your membership fee
  • Lawful basis: Collecting and processing this data is necessary for becoming a member, it is based on Art. 6(1) lit. b GDPR.
  • Duration of storage: If your request is not accepted, we will delete the data immediately. If your application is accepted and you become a member of the association, we will store the data for the duration of your membership. After your withdrawal from the association, we will delete all data that we no longer need within 30 days. For some data (including letters and receipts), however, there are legal storage obligations of currently up to ten years (see in particular § 147(3) of German AO).
  • Data disclosure: Only the board has access to this data. Under certain circumstances we may be legally obliged (e.g. on the basis of § 37 of German BGB) to pass on your contact data to other members of the association for internal communication.

Membership fees

As a member you are likely required to pay membership fees in accordance with our membership fee regulation. After your membership application has been accepted, we will ask for your payment details and the desired payment method. We need this data for billing purposes and for issuing donation receipts.

  • Affected data: the amount of the corresponding membership fee, your name, your payment details, the payment method, the date of payment
  • Lawful basis: The collection and processing is necessary for the settlement of membership fees and is based on Art. 6(1) lit. b GDPR. In addition, we are subject to certain legal accounting obligations, for which we have to store and process the data pursuant to Art. 6(1) lit. c GDPR.
  • Duration of storage: as long as there are legal storage obligations (refer in particular to § 147(3) of German AO)
  • Data disclosure: Only the board has access to this data. We may have to pass it on to the tax office responsible for us as part of tax statements or similar.
    If you decide to pay through one of the external payment gateways we offer, these gateways will receive personal data on you and your payment and will provide some of that data to us. For more details on those third parties and the affected data, have a look at the “External services” section below.

Single and recurring donations

If you send us donations, we will receive data that we have to store and process for accounting purposes.

We are happy to accept anonymous donations, so providing this information is completely voluntary for you.

  • Affected data: the donation amount, if applicable your payment details, the payment method, the date of payment
  • Lawful basis: We are subject to certain legal accounting obligations, therefore the storage and processing is based on Art. 6(1) lit. c GDPR.
  • Duration of storage: as long as there are legal storage obligations (refer in particular to § 147(3) of German AO)
  • Data disclosure: Only the board has access to this data. We may have to pass it on to the tax office responsible for us as part of tax statements or similar.
    If you decide to pay through one of the external payment gateways we offer, these gateways will receive personal data on you and your payment and will provide some of that data to us. For more details on those third parties and the affected data, have a look at the “External services” section below.

Contacting us

If you contact us (e.g. by email), your message may contain personal data. We will use this data exclusively to answer your message.

You do not have to provide any data to contact us, so the disclosure of this data is completely voluntary for you.

  • Affected data: the data you include in your message
  • Lawful basis: The storage is based on our legitimate interest in replying to your message in accordance with Art. 6(1) lit. f GDPR.
  • Duration of storage: as long as there are legal storage obligations

Newsletter

We offer a newsletter with information about the activities of the association and for which you can register e.g. in the membership application form. If you decide to do so, we will send you the relevant information via the contact option you have provided (by e-mail or post).

The subscription is entirely voluntary for you. It is currently only available to members of the association.

  • Affected data: the contact details you provided (an email address with an optional PGP key or a postal mail address)
  • Lawful basis: By subscribing, you consent to the sending of the newsletter in accordance with Art. 6(1) lit. a GDPR. You can revoke this consent at any time; you can find out how to do this in the section “Right to revoke given consent”.
  • Duration of storage: for the duration of your membership or until you unsubscribe from the newsletter, whichever happens first
  • Data disclosure: The newsletter is sent by the board.

External services

In order to make our servives more interesting and efficient, we work with some external services.

CoinGate

We allow you to make payments to the association (especially donations and membership fees) through the payment gateway CoinGate. CoinGate is run by UAB Virtualios valiutos, A. Goštauto g. 8, LT-01108 Vilnius, Lithuania.
We use CoinGate for crypto currency transactions. We will display a note in the payment form if your payment is made through CoinGate.

If you make a payment through CoinGate, UAB Virtualios valiutos receives all data incurred in the payment process, especially including: the payment amount, the cryto currency you are using, your payment details (like your Bitcoin wallet address), potentially your name, potentially your email address.
For more details on how CoinGate processes your data, have a look at their privacy policy.

Mollie

We allow you to make payments to the association (especially donations and membership fees) through the payment gateway CoinGate. Mollie is run by Mollie B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands.
We use CoinGate for example for credit card transactions. In any case, we will display a note in the payment form if your payment is made through Mollie.

If you make a payment through Mollie, Mollie B.V. receives all data incurred in the payment process, especially including: your payment details (for example your bank account or credit card details) including the amount, your IP address, your browser and device type, potentially your name, potentially your address, potentially information on the kind of paynebt your are making to us, potentially all other data you actively provide (like when interacting with Mollie’s support).
For more details on how CoinGate processes your data, have a look at their privacy policy.

PayPal

We allow you to make payments to the association (especially donations and membership fees) through the payment gateway PayPal. PayPal is run by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
We will display a note in the payment form if your payment is made through PayPal.

If you make a payment through PayPal, PayPal (Europe) S.à.r.l., S.C.A. receives all data incurred in the payment process, especially including: the amount, data on the payment source for the transaction (for example your bank account or credit card details), device details, technical usage details, location details, your name, your address, your phone number, your email address.
For more details on how PayPal processes your data, have a look at their privacy policy.

Your rights

The GDPR grants you comprehensive rights with regard to data protection. We are strongly convinced that the right to data protection is a fundamental right and therefore we fully stand behind these rights. You can exercise these rights at any time in an informal manner using the contact details given in the “Controller and contact information” section.
We of course invite you to use our generator which will assist you with writing requests.

Right to data access

According to Art. 15 GDPR, you first of all have the right to request confirmation as to whether we store personal data on you. If so, you may request a copy of this information and are furthermore entitled to the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to data portability

In accordance with Art. 20 GDPR, you also have the right to receive the personal data concerning you that you have made available to us in a structured, commonly used and machine-readable format and to transmit this data to another controller without obstruction by us if the processing is based on consent pursuant to Art. 6(1) lit. a GDPR, Art. 9(2) lit. a GDPR or on a contract pursuant to Art. 6(1) lit. b GDPR and the processing is carried out using automated procedures.

Right to rectification

According to Art. 16 GDPR, you have the right to request us to correct any inaccurate personal data concerning you without undue delay. Furthermore, you have the right to request the completion of incomplete personal data—also by means of a supplementary declaration.

Right to erasure (“Right to be forgotten”)

According to Art. 17 GDPR, you have the right to demand that we delete personal data concerning you without undue delay.

This right is limited in particular when the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation or to assert, exercise or defend legal claims.

According to Art. 7(3) GDPR you have the right to revoke your consent given to us at any time.

Right to restriction of processing

According to Art. 18 GDPR, you have the right to demand the restriction of the processing of your personal data if you dispute the accuracy of the personal data, if the processing is unlawful, if we no longer need the data for the purpose of processing or if you have filed an objection to the processing pursuant to Art. 21(1) GDPR, as long as it is not yet clear whether our legitimate interests outweigh yours.

Right to notification to recipients

If you request us to correct, delete or restrict the processing of your personal data in accordance with Articles 16, 17 and 18 respectively, we will notify all recipients to whom we have disclosed the relevant data in accordance with Art. 19 GDPR.

Right to object

According to Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you which is necessary for the performance of a task in the public interest or because of our legitimate interest on the basis of Article 6(1) lit. e or f respectively, for reasons arising from your particular situation. We will then no longer process the personal data, unless we can prove compelling legitimate grounds for the processing, which outweigh your interests, rights and freedoms or the processing serves the assertion, exercise or defense of legal claims.

If we use your personal data for direct marketing, you have the right to object to such processing at any time. We will then no longer use your data for such purposes.

Right to lodge a complaint with a supervisory authority

According to Art. 77 GDPR, without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the member state of your usual place of residence, your workplace or the place of the alleged infringement, if you are of the opinion that the processing of personal data concerning you violates the GDPR.

The following supervisory authority is responsible for us:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Germany

Phone: +49 511 120 4500
Fax: +49 511 120 4599
Email: poststelle@lfd.niedersachsen.de (PGP key)
Web: www.lfd.niedersachsen.de