Privacy policy


Recitals

The Kronberg Academy Foundation takes the protection of your personal data extremely seriously. We therefore adhere very strictly to the rules laid down in data protection legislation.

We only process the personal data (“data”) of data subjects in a manner which conforms with the General Data Protection Regulation (“GDPR”). Data processing is necessary, in particular, to enable us to provide our services and to provide a fully-functional website, including digital content and services. User data is normally only processed once consent from the user has been obtained. Exceptions apply to cases where it is not possible to obtain prior consent for legitimate reasons or where processing of the data is permitted by law. Processing shall only take place within the data systems of the Kronberg Academy Foundation, on its own servers or on those of LUKA netconsult GmbH, in Germany.

Once the reasons for storage no longer apply, any data pertaining to data subjects shall be erased or the processing thereof restricted. Data may also be stored if this is provided for by European or German legislators in EU ordinances, laws or other regulations to which the controller is subject. Restricted processing or the erasure of data shall then also occur upon expiry of a storage period stipulated in the designated standards, unless it is necessary to continue storing the data in order to conclude or execute a contract.

Definition of terms

In order to ensure transparency, our Privacy Policy is modelled on both the GDPR and the Bundesdatenschutzgesetz (Federal Data Protection Act “BDSG”). The specialist terms used by us correspond to the GDPR definitions of these terms.

We refer here in particular to Art. 4 GDPR.

Controller for the purposes of Art. 13(1)(b) GDPR

The controller for the purposes of the GDPR and other national data protection laws of the EU member states, as well as any other data protection provisions, is the:

KRONBERG ACADEMY FOUNDATION
Friedrich-Ebert-Strasse 6
61476 Kronberg
Germany
Telephone +49 6173 783378
Email: stiftung(at)kronbergacademy.de 
Web: www.kronbergacademy.de 

Contact details of the data protection officer for the purposes of Art. 13(1)(b) GDPR:
The data protection officer of the controller is:
Mr Holger Heuermann
Tel. +49 6173 783363
h.heuermann(at)kronbergacademy.de 

Provider identification pursuant to Section 5 German Telemedia Act (TMG) can be found in the Legal Notice.

Data categories

We collect different categories of data from those who use our services. These are subdivided as follows:

  • Personal identification data, e.g.: names, addresses...Electronic identification data, e.g.: IP addresses, screen resolution...
  • Contact details, e.g.: telephone numbers, email addresses....
  • Contract data, e.g.: date of contract conclusion, separate contract provisions....
  • Payment data, e.g.: payment process, account number...
  • Input data, e.g.: images that have been uploaded/submitted, text entries...
  • Tracking data, e.g.: search terms, articles read...

Purposes and legal basis of processing as defined by Art. 13(1)(c) GDPR

The GDPR constitutes the sole legal basis for the processing of data.
It is necessary for us to perform processing in order to provide the best possible service. More detailed descriptions of the different purposes can be found in the corresponding subsection.

Processing is based exclusively on the following legal foundation:

In accordance with Art. 6(1)(a) and Art. 7 GDPR, processing is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

In accordance with Art. 6(1)(b) GDPR, processing is lawful if such processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

In accordance with Art. 6(1)(c) GDPR, processing is lawful if such processing is necessary for compliance with a legal obligation to which the controller is subject.

In accordance with Art. 6(1)(d) GDPR, processing is lawful if such processing is necessary in order to protect the vital interests of the data subject or of another natural person.

In accordance with Art. 6(1)(f) GDPR, processing is lawful if such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Transfer to third parties for the purposes of Art. 13(1)(e) GDPR

In principle, data shall not be passed on to third parties. There may be circumstances, however, in which it is appropriate to outsource data processing to an external service provider to allow us to perform our work (for example, address data are transmitted to transport companies to enable them to deliver products that have been purchased).

We shall only transfer data to recipients with whom we have concluded a contract on commissioned data processing as defined by Art. 28 GDPR. This article stipulates how data pertaining to data subjects should be handled, and ensures they are protected.

Rights of data subjects

Data subjects have the following rights:

  •  Full right of access regarding the processed data pursuant to Art. 15 GDPR
  • Right to rectification of the data pursuant to Art. 16 GDPR
  • Right to GDPR-compliant portability of data pursuant to Art. 20 GDPR
  • Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
  • Right to withdraw data processing consent pursuant to Art. 7(3) GDPR
  • Right to object on personal grounds pursuant to Art. 21 GDPR or, specifically, a right to processing in accordance with Art. 6(1)(f) GDPR
  • Right to erasure of the data pursuant to Art. 17 GDPR. Should erasure be prevented on grounds arising from Art. 6(1) GDPR, the scope of processing shall be restricted.
  • Right to restriction of data processing pursuant to Art. 18 GDPR

How we process data

Collection and processing of anonymous and pseudonymised data in log files

What are the data concerned?
Every time the website is visited, general data are automatically collected on our servers. These data are:

  • The type and version of web browser used
  • The operating system installed
  • The website on which our own site was linked
  • The pages of our website visited
  • The hostname of the accessing computer (IP address)
  • The date and duration of the visit

This information (also termed “server log files”) is of a general nature and is not used make inferences about the identity and particulars of data subjects.

Purpose and legal basis of processing
Storage takes places in order to ensure the proper functioning of the website. Without this data, it would sometimes be technically impossible to deliver and display the content of the website. It is, therefore, absolutely necessary to collect this data.

Furthermore, the data help us to optimise the website, ensure the security of our IT systems and to protect against improper use. Evaluation of the data for marketing purposes does not take place in this context.

Our legitimate interest in data processing as defined by Art. 6(1)(b) and (f) GDPR also lies within these purposes.

Who is affected?
All visitors to our website.

When are these data erased?
The data are erased as soon as they are no longer required to fulfil the purpose for which they were collected. In the case of data being collected to make the website available, this occurs when a given session is ended. In the case of data being stored in log files, this occurs after a maximum period of seven months.

Use of cookies required for technical reasons

What are the data concerned?
We use cookies on our webpages. In this connection, please be advised that cookies may also originate from third parties and/or may be loaded from the servers of third parties, even though only the website of the controller – in this case our website – is being visited, and not that of any third party.

Cookies are small files stored on the devices used to access the webpages. These small files store information such as details about the user of the website, how the website is used and the device it was accessed from. In some cases, data is stored that goes beyond the use of the website. Cookies can also be used for marketing purposes to save the various preferences of the user.

Different types of cookies exist. There are persistent cookies, which, for example, will store a login status for a long period of time,
and
session cookies, which are automatically erased at the end of the session.

We use the following cookies, which are required for technical reasons:

  • A session cookie, which contains a typical string of characters for the duration of your visit to the website. This enables the browser to be clearly identified when visiting other pages of our website.
  • A persistent cookie, which stores the fact that the data subject has seen the info banner on the use of cookies and has clicked it away. The info banner will then not be re-displayed on every page for the data subject.
  • A persistent cookie which, if applicable, stores the fact that information on a user’s visit to the website should not be stored by Matomo web analytics (see section on Matomo website analytics software).

Purpose and legal basis of processing
We use the cookies required for technical reasons to simplify use of our website for visitors. Without the use of cookies, some functions of our website will not be available. These functions require the browser to be recognised, even when moving from one page to another. The user data collected by the cookies required for technical reasons are not used to create user profiles.

The legal basis for the processing of data using cookies required for technical reasons is Art. 6(1)(c) and (f) GDPR.

Who is affected?
All visitors to our website until cookies are blocked.

When are these data erased?
Cookies are stored on the user’s computer. Therefore, as users, data subjects have full control over the use of cookies and can erase them themselves at any time.

How can data subjects avoid cookies being stored?
Should data subjects not wish to have any cookies on their devices, we kindly request that they block the storage of cookies in the settings of their own web browsers to avoid cookies being stored. In addition, any previously stored cookies can be erased in individual web browser settings.

Please note, however, that blocking the use of cookies may restrict the usage options and functions of our web pages.

Some companies, which offer cookies professionally, have also configured an option enabling users to opt out of tracking tools. Further information can be found here: http://www.youronlinechoices.com

Matomo web analytics software (formerly PIWIK)

What are the data concerned?
Our website uses Matomo, an open source software tool used for statistical evaluation of visitor access. The software places a cookie on the user’s computer (see above for more about cookies). When individual pages of our website are visited, the following information is stored:

  • The web pages visited
  • The website from which the user came to the web pages visited (referrer)
  • The sub-pages called up from the web page originally visited
  • The time spent on the website
  • The frequency of visits to the website
  • Two bytes of the IP address from the user’s visiting system

The software is set so that IP addresses cannot be stored in full, and instead two bytes of the IP address are masked (e.g. 192.168.xxx.xxx). As a result, it is no longer possible to match the shortened IP address to the visiting computer, meaning that each user remains anonymous. The software runs solely on the servers of our website. User data is only stored there. These data are not passed on to third parties.

Purpose and legal basis of processing
Matomo enables us to analyse the surfing behaviour of our users. By evaluating the data collected, we are able to compile information on how individual components of our website are used. This helps us to improve our website and its user-friendliness on a continual basis. Our legitimate interest in processing data as defined by Art. 6(1)(f) GDPR also lies within these purposes. By anonymising IP addresses, we give adequate consideration to users’ interests in protecting their data.

Who is affected?
All visitors to our website until cookies are blocked.

When are these data erased?
The data are erased as soon as they are no longer required for our record-keeping purposes. This is the case after 24 months.

How can data subjects avoid cookies being stored?
Data subjects can decide whether explicit web analytics cookies may be placed on their computer to allow website operators to collect and analyse a range of statistical data.

If data subjects choose to opt out of this, they can click on the following link to place the Matomo deactivation cookie in their browser.

Reasons underpinned by the Foundation itself

Some data is also processed for purposes and reasons that are intrinsically linked to the Foundation itself. These include marketing purposes and data processing for teaching purposes.

What are the data concerned?

  • Personal identification data
  • Electronic identification data
  • Contact details
  • Contract data
  • Input data
  • Payment data

Purpose and legal basis of processing
This data processing takes place in order to be able to run the Kronberg Academy Foundation and meet legal obligations.

The legal basis is thus provided by Art. 6(1)(a) to (c) and (f) GDPR as well as Section 7 German Act Against Unfair Competition (UWG).

Data are passed on to third parties. The categories of recipients are as follows:  payment service providers, communications service providers and web service providers.

Who is affected?
All visitors to our website, interested parties, customers, business partners, those who attend events and employees.

When are the data erased?
The data are erased once the intended purpose has been fulfilled, however this does not take place before the legal archiving and storage obligations have been honoured. We perform checks in this regard every 24 months.

Newsletter

Data are processed on account of subscriptions to our newsletter (post/email). The following data are processed here:

  • Personal identification data
  • Contact details
  • Contract data

Purpose and legal basis of processing
This data processing takes place to enable us to deliver a newsletter.
The legal basis is provided by Art. 6(1)(a) GDPR as well as Section 7 German Act Against Unfair Competition (UWG).

Data are passed on to third parties. The categories of recipients are as follows:  courier services, communications service providers and web service providers.

Who is affected?
All individuals who have subscribed to our newsletter.

When are the data erased?
The data are erased once the intended purpose has been fulfilled, however this does not take place before the legal archiving and storage obligations have been honoured. We perform checks in this regard every 24 months.

Administration and organisation

Some data is also processed in connection with internal administrative tasks and in order to comply with legal obligations, such as financial accounting. 

What are the data concerned?

  • Personal identification data
  • Electronic identification data
  • Contact details
  • Contract data
  • Payment data
  • Input data
  • Tracking data

Purpose and legal basis of processing
This data processing takes place in order to be able to manage the Foundation efficiently and meet legal obligations.

The legal basis is thus provided by Art. 6(1)(c) and (f) GDPR.

Data are passed on to third parties. The categories of recipients are as follows:  payment service providers and tax consultants.

Who is affected?
All visitors to our website, interested parties, customers, business partners and employees.

When are the data erased?
The data are erased once the intended purpose has been fulfilled, however this does not take place before the legal archiving and storage obligations have been honoured. We perform checks in this regard every 24 months.

Contact form and contact by email

What are the data concerned?
There is a contact form on our website that can be used to establish contact electronically. If a user makes use of this option, the following data are stored:

  • Title
  • Name
  • Contact email address
  • Text of message entered by user
  • Contact telephone number (if entered by user)
  • Date and time of transmission
  • IP address of computer from which the form was sent
  • Address of page containing the contact form

Alternatively, contact can be made using the email address provided. In this case, the user data transmitted with the email shall be stored. 

Data are passed on to third parties. The categories of recipients are as follows:  platform providers of communications tools. The data are used solely to process the conversation.

Purpose and legal basis of processing
Data entered in the input fields or contained in the email are processed solely to allow us to contact you. A necessary, legitimate interest in data processing lies in doing so.

The other data processed during the sending process serve to ensure that the contact form is not misused and also ensure the security of our IT systems.

The legal basis for the processing of data transmitted by means of the form or an email is Art. 6(1)(f) GDPR. If contact is made by email with the intention of concluding a contract, the legal basis for such processing shall be Art. 6(1)(b) GDPR.

Who is affected?
The groups of data subjects involved here are those interested in our services, our customers and any business partners who have made contact with us.

When are these data erased?
The data are erased as soon as they are no longer required to fulfil the purpose for which they were collected. With regard to data entered in the fields of the contact form and data sent to us via email, this shall be the case when the conversation in question between us and the user has ended. The conversation shall be deemed to have ended when circumstances indicate that the facts concerned have been fully clarified.

Hosting

Our website is hosted on the servers of LUKA netconsult GmbH. Such hosting is performed as commissioned data processing, in accordance with Art. 28 GDPR. This is necessary to ensure the availability of our services. Commissioned data processing takes place solely on the legal basis specified by Art. 6(1)(a) to (d) and (f) GDPR.

We have concluded a contract on commissioned data processing with LUKA netconsult GmbH pursuant to Art. 28 GDPR. This defines the framework for commissioned data processing contracts and provides protection for the data.

Shop

Data categories processed
Data processing also takes place in connection with our online shop.
The following categories of data are processed here:

  • Personal identification data
  • Contact details
  • Contract data
  • Payment data

Purpose and legal basis of processing
This processing is necessary for the performance of the contract and in order to take steps at the request of the data subject prior to entering into the contract. This also includes processing both prior and subsequent to the conclusion of the contract in the form of support queries.

The legal basis for this is therefore Art. 6(1)(b) GDPR.

Furthermore, we are also required to perform processing in order to comply with legal obligations. Mandatory archiving and storage duties are imposed on us.

The legal basis for this is therefore Art. 6(1)(c) GDPR.

Transmission to third parties and processing in third countries
These data are only passed on to third parties if this is necessary for us to fulfil our duties or if we are subject to legal obligations.

In some circumstances, these third parties may be located in third countries.

Categories of third parties here are:

  • Couriers/parcel services
  • Payment service providers

Who is affected?
The groups of data subjects involved here are those interested in our services, our customers and any business partners who have made contact with us in relation to our shop.

Erasure
The data are erased once the legal archiving and storage obligations have been honoured. We perform checks in this regard every 24 months.

Reservix
We use a solution supplied by Reservix GmbH for our online shop. Although it does not appear so on the screen, ticket sales are processed on a web page belonging to our service provider, Reservix GmbH. Please be aware that the service provider is Reservix GmbH, Humboldtstrasse 2, 79098 Freiburg im Breisgau, Germany. In addition to our privacy policy, Reservix has its own policy on the ticket sales pages. Further information can be found here: s3.eu-central-1.amazonaws.com/reservix/Datenschutzerklaerung_Reservix.pdf. We have entered into a contract with Reservix for commissioned data processing as defined by Art. 28 GDPR. All data transmitted to Reservix also come to us and are processed as stated in the “Shop” section.

Transmission to third countries

Should data pertaining to data subjects be transmitted to a third country, this shall only take place in line with the provisions of the GDPR (particularly Art. 44 et seq. GDPR). A third country is any State that is outside the European Economic Area (EEA).

In the case of specific purposes as defined by Art. 6 GDPR, processing shall therefore only take place in a third country if the data subject has given his or her consent, if an appropriate level of data protection commensurate with the GDPR is present in that country, specifically in the USA the “EU-US Privacy Shield” must apply, if suitable guarantees as defined by Art. 46 GDPR apply, such as standard contract clauses or approved codes of conduct, or if a binding internal data protection regulation in line with the Binding Corporate Rules stated in Art. 47 GDPR are specified.

Social networks

On the website, we have links to the sites of social networks and other service providers (such as Facebook, Twitter and Instagram). These are external links, meaning that a connection with the servers of the other websites will only be established once those sites are visited. If data subjects visit another website from our website, they leave our website and thus also our sphere of responsibility.

Furthermore, we also process any data transferred to us via social media web pages. The aforementioned rights apply to social media sites within the boundaries of laws to which we are subject. Data subjects have the right to contact the operators of the social media platforms directly at any time. Please be advised that, in addition to our Privacy Policy, any such policy of the platform operator shall have primacy.

We refer particularly to the following privacy policies:

Facebook: www.facebook.com/about/privacy (controller: Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

Twitter: twitter.com/privacy (controller: Twitter International Company Attn: Privacy Policy Inquiry, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 IRELAND).

Instagram: help.instagram.com/155833707900388/ (controller: Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

YouTube: Our site uses links to YouTube videos. The service provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). In addition to our privacy policy, a similar policy from Google also applies. Further information can be found here: https://www.google.com/policies/privacy

Google Maps

On some pages we use the “Google Maps” service to display directions. This feature is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

As already stated above, data processing is only performed here if the provisions stipulated in the GDPR are met. This is the case with Google LLC thanks to its participation in the Privacy Shield.

When a “Google Maps” service is displayed, Google LLC stores data and cookies are placed on the data subject’s device. This can be prevented by adjusting the browser settings as described above.

Use of the “Google Maps” service assists with the provision of our website, whereby processing is necessary to protect the legitimate interests of the controller. The legal basis is therefore Art. 6(1)(f) GDPR.
In addition to our Privacy Policy and our Terms of Use, corresponding policies from Google LLC also apply.

These can be found under the following links:
Privacy policy: https://policies.google.com/privacy
Google LLC Terms of Use: https://policies.google.com/terms?gl=DE&hl=de
Google Maps Terms of Use: https://www.google.com/intl/de_de/help/terms_maps.html

Data security

In accordance with Art. 32 GDPR, we take suitable technical and organisational security measures to protect data against manipulation, unauthorised processing and accidental losses of any kind.

Furthermore, we adhere to the principle of Privacy by Design laid down in Art. 25 GDPR by using privacy-aware standard settings and software that is generally privacy-friendly.

We employ the most modern equipment and improve our services at regular intervals in order to continue to maintain the security of data in our services.

Validity of/modifications to this Privacy Policy

This Privacy Policy was last updated in May 2018. We reserve the right to modify this Privacy Policy on an ongoing basis in the course of offering our services where we have a legitimate interest in doing so, particularly if there are any changes to the legal situation. We therefore request that you visit this page regularly.