Controller
Jonas Zipf
Licht ins Dunkel e.V.
c/o JenaKultur
Knebelstraße 10
07743 Jena

Data protection officer
Kristina Wydra, Local International
Email info@kein-schlussstrich.de

Data processing
This section details the types of data processed, the purpose of data collection, and data subjects.

Types of data processed
– Personal data (e.g. names, addresses)
– Content (e.g. entries in online forms)
– Contact data (e.g. email addresses, telephone numbers)
– Meta data/communication data (e.g. device information, IP addresses)
– Usage data (e.g. websites visited, interest in content, access duration)
– Contract data (e.g. object of the contract, duration, customer category)
– Payment data (e.g. account details, invoices, payment history)

Data subject categories  
– Business and contractual partners
– Persons we communicate with
– Members
– Users (e.g. website users, users of online services)

Purpose of processing
– Providing our online services and ensuring usability
– Direct marketing (by email or by post)
– Responding to contact requests and for communication purposes
– Meeting contractual obligations and providing customer service
– Managing and responding to customer requests

Legislation governing the processing of personal data
The following paragraphs contain an overview of the GDPR legislation which is the basis for the processing of personal data. Please note that other than the GDPR there may be national data protection regulations in your country of residence which apply here. Should other legislation apply in individual cases, we will inform you in this privacy notice.

– Consent (Article 6 (1) (a) GDPR) – The data subject has consented to the processing of relevant personal data for one or more specific purposes.

– Performance of contracts and pre-contractual requests (Article 6 (1) (b) GDPR) – Processing of the data is necessary for the performance of a contract the data subject is party to, or to take steps, at the request of the data subject, prior to entering into a contract.

– Legitimate interests (Article 6 (1) (f) GDPR) – Processing of the data is necessary to safeguard the legitimate interests of the controller or a third party, unless these are outweighed by the interests or rights and freedoms of the data subject which require personal data to be protected.

German data protection regulations
In addition to the data protection rules set down in the General Data Protection Regulation, national regulations for data protection also apply in Germany. This includes the Law on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act, BDSG). The BDSG includes special provisions on the right of access, the right to erase, the right to object, the processing of special categories of data, processing for other purposes, data transfer, as well as automated individual decision-making, including profiling. It also governs the data processing for the purpose of employment relationships (§ 26 BDSG), in particular regarding the establishment, implementation, and termination thereof as well as for employee consent. Further, data protection laws in the individual German states may also be applicable.

Cookies
Cookies are small text files containing information about websites or domains visited and saved on the browser of the user’s computer. Cookies are used primarily to collect and store information about a user during or after their visit to a website. This may include, for example, the language settings of the site, the login status, the shopping basket, or the location where a video was viewed. The term cookie also includes other technologies which fulfil similar functions to cookies (e.g. where user data is stored based on pseudonyms, also known as user IDs).

There are several types of cookies:
Temporary cookies (session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their browser.
Permanent cookies: Permanent cookies remain on the PC even after the browser is closed. That way, a user’s login status can be retained, or preferred content can be shown when the user revisits the site. These cookies may also store users’ preferences, which can be used to measure the performance of the site or for marketing purposes.
First-party cookies: First-party cookies are set by us.
Third-party cookies: Third-party cookies are usually set by marketing companies, i.e. third parties, to process user information.
Essential cookies: Cookies may be essential to run a website (e.g. to store login data or user entries or for security purposes).
Statistics, marketing and personalisation cookies: Cookies are also used to measure audience reach or to store the interests of a user or their behaviour on particular websites (e.g. looking at certain content, use of functions etc.) in their user profile. Such profiles are used, for example, to show users content that might be of interest to them. This practice is called tracking, i.e. users’ potential interests are tracked. Where we use cookies or tracking technology, we will inform you separately in our Privacy Policy or when requesting consent.

Legal basis: The legal basis for processing your personal data with the help of cookies depends on whether we request your consent or not. If we ask for your consent and you grant it, the legal basis for data processing is your consent. Where we do not request consent, the processing of the data collected with the help of cookies is done so based on our legitimate interests (e.g. in the economic and effective operation of our online services), or in cases where the use of cookies is required to fulfil our contractual obligations.

Cookie storage: Permanent cookies are stored for up to two years unless otherwise specified (e.g. during a cookie opt-in),

Revoking consent and objecting to cookies (opt-out):
Depending on whether the data processing is based on your consent or for legal reasons, you have the right to revoke your consent at any time or to object to the processing of your data using cookie technologies (also called “opt-out”). You can object via your browser settings, e.g. by deactivating the use of cookies (although this might impact the functioning of our online services). Information on opting out of the use of cookies for online marketing purposes (tracking in particular) can also be found on a number of services: https://optout.aboutads.info and https://www.youronlinechoices.com/. Information on the service providers and cookies used may also contain details on cookie opt-out.

Processing of personal data gained via cookie consent: The cookie management tool we use enables us to collect the user consent for the use of cookies, or the procedures and providers mentioned in the cookie management tool. It also allows users to manage and withdraw their consent. We store the declaration of consent in order not to have to repeat the request and to be able to prove that we fulfilled the legal requirements regarding consent. This may be stored on our servers and/or in a cookie (so-called opt-in cookie or similar technology) to enable us to link a particular user or their device. Subject to individual information regarding the providers of cookie management services, the following applies: consent may be stored for up to two years. This involves the creation of a pseudonymous user identifier, which is then stored together with the time and date of consent, cookie consent level (e.g. what categories of cookies and/or services) as well as the browser, system and device used.

– Types of data processed: Usage data (e.g. websites visited, interest in content, access times),
– Meta/communication data (e.g. device information, IP addresses)
– Data subjects: User (e.g. website visitors, users of online services)
– Legal basis: Consent interests (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR)

Fulfilment of duties according to our statutes or rules of procedure
We process the data of our members, supporters, prospective customers, business partners or other persons (data subjects) if we have a membership or other contractual relationship with them and are fulfilling our obligations in relation thereto as well as if we are the recipients of services or financial contributions. We also process the data of our data subjects based on our legitimate interests, e.g. in relation to administrative tasks or marketing activities. The data processed, type and extent of processing, purpose and need for processing is based on the underlying membership or contractual relationship, which also determines what data is needed (We will specify what data is required). We will delete data that is no longer required for business purposes or to fulfil legal obligations. This is based on the applicable duties and contractual relationships. We will store this data for as long as it is required for our business processes but also to fulfil any warranty or liability requirements on the basis of our legitimate interests in the settlement of warranty or liability claims. The necessity for data storage will be reviewed on a regular basis. All legal data retention requirements apply.
– Data processed: Personal data (e.g. names, addresses), payment data (e.g. account data, invoices, payment history), contact data (e.g. email, phone numbers), contract data (e.g. object of the contract, duration, customer category).
– Data subjects: Users (e.g. website visitors, users of online services), members, business or contractual partners.
– Purpose of processing: Fulfilling contractual obligations and providing customer service, contact requests and communication, management and responses to requests.
– Legal basis: Fulfilling contracts and pre-contractual requests (Article 6 (1) (b) GDPR), legitimate interests (Article 6 (1) (f) GDPR).

Online services and web hosting
In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers. Our online services can be accessed from the servers of these providers (or servers they manage). To this end, we may use infrastructure and platform services, computing capacity, storage space and database  services as well as security and maintenance services. In the context of providing these hosting services, we process data belonging to users of our online services insofar as this data is needed in connection to the use of said services as well as for relevant communication. This regularly includes the IP address required to deliver the contents of online services to any browsers as well as any and all data entries made during the use of our online services and web pages.

Access data and log files
We (or our web hosting provider) collect data on all accesses to our servers (so called server log files). These files may contain the address and the name of the web pages and files accessed, date and time of the request, data volumes transferred, confirmation of successful requests, browser type  and version, operating system of the user’s device, referrer URL and usually also the IP address as well as the provider making the request. The server log files can be used for security reasons, e.g. to prevent the servers from become overloaded (especially in the case of criminal DDoS attacks), but also to enable server workload protection and stability.

– Data processed: Content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access duration), meta/communication data, e.g. device information, IP addresses).
– Data subjects: Users (e.g. website visitors, users of online services).
– Purpose of processing: Providing our online services and ensuring usability, fulfilling contractual obligations and providing customer support.
– Legal basis: Legitimate interests (Article 6 (1) (f) GDPR).

Services and service providers used:
– WordPress.com: hosting platform for blogs and websites; provided by: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; website: https://wordpress.com; privacy policy: https://automattic.com/privacy/ https://automattic.com/de/privacy/.
– hosteurope: services associated with the provision of information technology infrastructure and related services (e.g. storage and/or computing capacity); provided by: Host Europe GmbH, Hansestrasse 111, 51149 Köln, Germany; website: https://www.hosteurope.de; privacy notice: https://www.hosteurope.de/en/terms-and-conditions/privacy/  https://www.hosteurope.de/AGB/Datenschutzerklaerung/

Produced based on the free privacy police generator provided by Dr. Thomas Schwenke