Menu

Privacy policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are not gender-specific.

Last updated: July 24, 2023

Table of Contents

  • Preamble
  • Controller
  • Overview of Processing Activities
  • Relevant Legal Bases
  • Security Measures
  • Transmission of Personal Data
  • International Data Transfers
  • Use of Cookies
  • Business Services
  • Provision of the Online Offering and Web Hosting
  • Contact and Inquiry Management
  • Presences on Social Networks (Social Media)
  • Plugins, Embedded Functions, and Content

Controller

Alcatraz Touring GmbH
Henschelstraße 10
34311 Naumburg (Hessen)
Germany

Authorized representatives: Thomas Kubitz & Aileen Huber

Email: info@alcatraz-touring.de

Legal notice: http://alcatraz-touring.de/

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be applicable in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Additionally, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss FADP: These data protection notices serve the purpose of providing information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to their broader geographical scope and comprehensibility. In particular, instead of the terms “processing” of “personal data” and “overriding interest” used in the Swiss FADP, the GDPR terms “processing” of “personal data” and “legitimate interest” are used. The legal meaning of these terms will, however, continue to be determined in accordance with the Swiss FADP where it applies.

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of data processed:

  • Master data
  • Payment data
  • Location data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and procedural data

Categories of data subjects:

  • Prospective customers
  • Communication partners
  • Users
  • Business and contractual partners

Purposes of processing:

  • Provision of contractual services and customer support
  • Contact inquiries and communication
  • Office and organizational procedures
  • Management and response to inquiries
  • Feedback
  • Marketing
  • User-related profiles
  • Provision of our online offering and user experience
  • Information technology infrastructure

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include in particular ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, and safeguarding of availability of the data, and their separation. We have also established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data security threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default.

Transmission of Personal Data

In the course of processing personal data, it may be necessary to transfer or disclose such data to other parties, companies, legally independent organizational units, or individuals. Recipients of such data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or disclosing or transferring data to other individuals, entities, or companies, this is done only in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transfer (see Art. 49 GDPR), we only process or have data processed in third countries with a recognized level of data protection (Art. 45 GDPR), on the basis of contractual obligations through the EU Commission’s standard contractual clauses (Art. 46 GDPR), or in the presence of certifications or binding internal data protection regulations (see Arts. 44–49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Trans-Atlantic Data Privacy Framework (TADPF): Within the framework of the so-called “Data Privacy Framework” (DPF), the EU has also recognized the level of data protection for certain companies from the USA. The list of certified companies, as well as further information about the DPF, can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/. Information in German and other languages is available on the EU Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_de. We will also inform you about the companies we use that are certified under the Data Privacy Framework.

Use of Cookies

Cookies are small text files or other storage entries that store information on end devices and read information from them — for example, to save the login status in a user account, the contents of a shopping cart, the content accessed, or the functions used within an online offering. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings, as well as for the creation of analyses of visitor flows.

Information on consent: We use cookies in accordance with legal requirements. We therefore obtain prior consent from users, unless this is not required by law. Consent is not required in particular when the storing and reading of information — including cookies — is strictly necessary to provide users with a telemedia service they have expressly requested (i.e., our online offering). Strictly necessary cookies generally include cookies that serve functions related to displaying and operating the online offering, load balancing, security, storing user preferences and options, or similar purposes connected to providing the main and ancillary functions of the online offering requested by users. Revocable consent is communicated clearly to users and includes information about the respective cookie usage.

Information on legal bases: The legal basis on which we process users’ personal data with the help of cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., in the commercially viable operation of our online offering and its improvement) or, where this occurs in the context of fulfilling our contractual obligations, where the use of cookies is necessary to fulfill our contractual duties. We will explain the purposes for which cookies are processed in the course of this privacy policy or within our consent and processing procedures.

Storage duration: The following types of cookies are distinguished with regard to storage duration:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g., browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user revisits a website. Likewise, data collected using cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and that the storage period may be up to two years.

General information on revocation and objection (opt-out): Users may revoke their consent at any time and object to processing in accordance with legal requirements. Users may, among other things, restrict the use of cookies in their browser settings (which may also limit the functionality of our online offering). Objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further notes on processing procedures, methods, and services:

  • Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which users’ consent to the use of cookies, or the processing activities and providers referred to in the cookie consent management procedure, is obtained, managed, and revoked by users. The consent declaration is stored to avoid having to repeat the inquiry and to be able to demonstrate consent in accordance with the legal obligation. Storage may take place server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) in order to be able to associate consent with a user or their device. Unless individual information is provided about the providers of cookie management services, the following applies: the duration of consent storage may be up to two years. A pseudonymous user identifier is created and stored together with the time of consent, the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and end device used. Legal basis: Consent (Art. 6(1)(a) GDPR).

Business Services

We process data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as “contractual partners”), in the context of contractual and comparable legal relationships and related measures, and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. This includes in particular the obligation to provide the agreed services, any update obligations, and remedies for warranty and other service disruptions. We also process the data to safeguard our rights and for administrative tasks associated with these obligations, as well as for business organization. Furthermore, we process data on the basis of our legitimate interests in proper and commercially sound business management and security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services and subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within this privacy policy.

We inform contractual partners of which data is required for the aforementioned purposes before or in the course of data collection, e.g., in online forms, by means of special labeling (e.g., colors) or symbols (e.g., asterisks), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., for as long as it must be retained for legal archiving purposes. The statutory retention period for tax-relevant documents and commercial books, inventories, opening balance sheets, annual financial statements, work instructions required to understand these documents, and other organizational documents and accounting records is ten years; for received commercial and business letters and copies of dispatched commercial and business letters, it is six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance sheet, annual financial statement, or management report was prepared, the commercial or business letter was received or dispatched, or the accounting record was created, the recording was made, or the other documents were produced.

Where we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between users and those providers.

Types of data processed: Master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., subject matter, duration, customer category).

Data subjects: Prospective customers; business and contractual partners.

Purposes of processing: Provision of contractual services and customer support; contact inquiries and communication; office and organizational procedures; management and response to inquiries.

Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

  • Agency services: We process data of our clients within the scope of our contractual services, which may include, for example, conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training. Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the contents and functions of our online services to the user’s browser or end device.

Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); content data (e.g., entries in online forms).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Provision of our online offering and user experience; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

  • Provision of the online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a “web host”). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Email sending and hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the addresses of recipients and senders, as well as further information relating to the email dispatch (e.g., the providers involved) and the contents of the respective emails, are processed. The aforementioned data may also be processed for the purpose of detecting spam. Please note that emails are generally not sent in encrypted form over the internet. While emails are typically encrypted in transit, they are not encrypted (unless end-to-end encryption is used) on the servers from which they are sent and received. We therefore cannot accept responsibility for the transmission path of emails between the sender and receipt on our server. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity). Service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.strato.de. Privacy policy: https://www.strato.de/datenschutz. Data processing agreement: provided by the service provider.
  • WordPress.com: Hosting and software for the creation, provision, and operation of websites, blogs, and other online offerings. Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://wordpress.com. Privacy policy: https://automattic.com/de/privacy/. Data processing agreement: https://wordpress.com/support/data-processing-agreements/. Basis for third-country transfers: Data Privacy Framework (DPF).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring parties is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).

Data subjects: Communication partners.

Purposes of processing: Contact inquiries and communication; management and response to inquiries; feedback (e.g., collecting feedback via online form); provision of our online offering and user experience.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further notes on processing procedures, methods, and services:

  • Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context in order to handle the inquiry submitted. Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Presences on Social Networks (Social Media)

We maintain online presences within social networks and process data of users in this context in order to communicate with users active on those platforms or to provide information about us.

We point out that user data may be processed outside the European Union in this context. This may give rise to risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and the resulting interests. These usage profiles may in turn be used to place advertisements within and outside the networks that are presumed to match users’ interests. For these purposes, cookies are generally stored on users’ computers, recording usage behavior and interests. In addition, data may be stored in usage profiles independently of the devices used by users (particularly if users are members of the respective platforms and logged into them).

For a detailed overview of the respective forms of processing and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

We also point out that, in the case of information requests and the assertion of data subject rights, these can most effectively be asserted with the providers directly. Only the providers have access to users’ data and can take appropriate measures and provide information directly. If you still need assistance, you are welcome to contact us.

Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Contact inquiries and communication; feedback (e.g., collecting feedback via online form); marketing.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

  • Instagram: Social network. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.instagram.com. Privacy policy: https://instagram.com/about/legal/privacy.
  • Facebook pages: Profiles within the social network Facebook. We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content users view or interact with, or the actions they take (see “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide page operators with analytics services called “Page Insights,” enabling them to gain insights into how people interact with their pages and associated content. We have concluded a specific agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which in particular governs the security measures Facebook must observe and in which Facebook has agreed to fulfill data subjects’ rights (i.e., users can, for example, direct requests for information or deletion directly to Facebook). Users’ rights (in particular the right to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy. Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: Joint controllership agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. Joint controllership is limited to the collection by and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transfer of data to its parent company Meta Platforms, Inc. in the USA (on the basis of Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Plugins, Embedded Functions, and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).

Such integration always requires that the third-party providers of this content process users’ IP addresses, since without the IP address they would not be able to send the content to the user’s browser. The IP address is therefore necessary for the display of this content or these functions. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and further details about the use of our online offering, as well as being linked with such information from other sources.

Types of data processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status); master data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., entries in online forms); location data (information on the geographic position of a device or person).

Data subjects: Users (e.g., website visitors, users of online services).

Purposes of processing: Provision of our online offering and user experience; user-related profiles (creating user profiles); marketing.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing procedures, methods, and services:

  • Google Fonts (sourced from Google servers): Retrieval of fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform display, and consideration of possible licensing restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for providing the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users’ browsers send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent describing the browser and operating system versions of the website visitor, as well as the referral URL (i.e., the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referral URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. The user agent must be adapted at the Google Fonts Web API to match the font generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregate usage statistics measuring the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referral URL is logged so that the data can be used for production maintenance and an aggregated report on top integrations based on the number of font requests can be generated. According to Google, it does not use any of the information collected by Google Fonts to create profiles of end users or to serve targeted advertising. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://fonts.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • Google Maps: We embed maps from the “Google Maps” service provided by Google. The data processed may include in particular users’ IP addresses and location data. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://mapsplatform.google.com/. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
  • Instagram plugins and content: Instagram plugins and content — these may include, for example, content such as images, videos, or texts, and buttons allowing users to share content from this online offering on Instagram. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt via transmission (but not the further processing) of “event data” that Facebook collects or receives via transmission using Instagram functions (e.g., embedding functions for content) executed on our online offering, for the following purposes: (a) displaying content and advertising information that is presumed to correspond to users’ interests; (b) delivering commercial and transaction-related messages (e.g., addressing users via Facebook Messenger); (c) improving ad delivery and personalization of functions and content (e.g., improving identification of which content or advertising information is presumed to correspond to users’ interests). We have concluded a specific agreement with Facebook (“Controller Addendum,” https://www.facebook.com/legal/controller_addendum), which in particular governs the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill data subjects’ rights (i.e., users can, for example, direct requests for information or deletion directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., contain no information about individual users and are anonymous to us), this processing does not occur within the framework of joint controllership, but on the basis of a data processing agreement (“Data Processing Terms,” https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and, with regard to processing in the USA, on the basis of Standard Contractual Clauses (“Facebook EU Data Transfer Addendum,” https://www.facebook.com/legal/EU_data_transfer_addendum). Users’ rights (in particular the right to access, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.instagram.com. Privacy policy: https://instagram.com/about/legal/privacy.
  • YouTube videos: Video content. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.youtube.com. Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF). Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de; settings for ad display: https://adssettings.google.com/authenticated.
  • Vimeo: Video content. Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://vimeo.com. Privacy policy: https://vimeo.com/privacy. Data processing agreement: https://vimeo.com/enterpriseterms/dpa. Basis for third-country transfers: Standard Contractual Clauses (https://vimeo.com/enterpriseterms/dpa). Opt-out: We note that Vimeo may use Google Analytics and refer to the privacy policy (https://policies.google.com/privacy) and the opt-out options for Google Analytics (https://tools.google.com/dlpage/gaoptout?hl=de) or Google’s settings for data use for marketing purposes (https://adssettings.google.com/).

Created with the free privacy policy generator by Dr. Thomas Schwenke (https://datenschutz-generator.de).

Back to homepage