Data protection and information security
Data Protection Information
The protection of your personal data during the collection, processing and use during your visit to our homepage is important to us. Below you find information about which personal data we process, for what purpose, on what basis and for how long:
Name and contact details of the person responsible
Responsible for the collection and use of personal data under the data protection law is
GFAI – Society fort he Promotion of Applied Information Sciences e.V.
represented by the Director Prof. Dr. Johann Haller
Telefon: +49 681 38951-0
Telefax: +49 681 38951 40
Copyright © by IAI 2009
All rights reserved.
Contact details of the data protection officer of the person responsible
You may contact the data protection officer for the above-mentioned person responsible at
A. General information on the processing of personal data
Legal basis for the processing of personal data
The following applies to the processing of personal data by us:
- Insofar as we obtain the consent for the processing of personal data, Art. 6 para. 1 letter a) of the EU General Data Protection Regulation (GDPR) this serves as the legal basis for the processing of personal data.
- In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) General Data Protection Regulation (GDPR) serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
- If the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 letter c) General Data Protection Regulation (GDPR) serves as the legal basis.
- In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d General Data Protection Regulation (GDPR) serves as the legal basis.
- If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 letter f) General Data Protection Regulation (GDPR) serves as the legal basis for processing.
Reference to the special right of objection
As far as we process personal data on the basis of Art. 6 paragraph 1 letter f) General Data Protection Regulation (GDPR) due to justified interests, we expressly point out to you that you can object to the processing of the personal data concerning you at any time for reasons which arise from your special situation. If we cannot prove any compelling reasons worthy of protection for further processing which outweigh your interests, rights and freedoms, or if we process the relevant data from you for the purpose of direct advertising, we will then no longer process your data (cf. Art. 21 General Data Protection Regulation (GDPR)).
A technical procedure that you use, e.g. a clear technical information that your web browser transmits to us ("Do-Not-Track" message), also constitutes a contradiction in this sense.
Data Erasure and Storage Time
Personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we as the person responsible are subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
This means in concrete terms:
If we process personal data on the basis of a consent to data processing (Art. 6 paragraph 1 letter a) Data Protection Regulation, in short: (GDPR) the processing ends with your revocation, unless there is another legal reason for processing the data, which is the case if we are still entitled at the time of the revocation to process your data for the purpose of contract fulfilment or if the data processing is necessary to protect our legitimate interests (cf. in each case below).
If we process the data exceptionally on the basis of our legitimate interests (Art. 6 paragraph 1 letter f) General Data Protection Regulation (GDPR)) within the scope of a prior weighting, we store this until the legitimate interest no longer exists, the weighting comes to a different result or you have effectively filed an objection in accordance with Art. 21 General Data Protection Regulation (GDPR) (cf. the optically highlighted "Reference to special right of objection").
If we process data for contract fulfilling, we will store the data until the contract is finally fulfilled and processed and no further claims can be asserted under the contract, i.e. until the statute of limitations has come into effect. The general limitation period according to § 195 BGB is three (3) years. However, certain claims, such as claims for damages, become statute-barred after 30 years. If there is a legitimate reason to assume that this is relevant in individual cases, we will store the personal data for this period. The aforementioned limitation periods begin at the end of the year (31.12.) in which the claim arose and the creditor becomes aware of the circumstances giving rise to the claim and the person of the debtor or should become aware of them without gross negligence.
We would like to point out that we are also subject to statutory retention obligations for tax and accounting reasons. These oblige us to keep certain data, including personal data, for a period of six (6) to ten (10) years as proof of our accounting. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods also begin at the end of the year in question, i.e. on 31 December.
Source of Personal Data
The personal data processed by us originates primarily from the data subjects themselves, for example by means of use of our website, transmission of information, such as the IP address to our web server via the user's web browser and technical system, as information material or request on an offer from us, as customers by placing an order to us or the conclusion of a contract with us, request of information material, press releases, statements, etc. as press representatives, supplier of goods as agreed or provision of services and the like.
Only in very exceptional cases can personal data processed by us may come from third parties, for example if a person acts on behalf of a third party.
Specific Categories, Purposes and Legal Basis for the Processing of Personal Data
We process the following categories of personal data:
- Users of our website,
- Interested parties,
- Members of the press,
- customers, and
Depending on the category of data concerned, we process personal data for the following purposes and on the basis of the respective legal basis of the Basic General Data Protection Regulation (GDPR):
User data: Data from users of our website is collected and processed by us on a non-personal basis. An assignment to certain persons is not possible for us. The IP address will only be processed anonymously. If, in exceptional cases, personal data are affected, we process them to protect our legitimate interests on the basis of Art. 6 paragraph 1 letter f) General Data Protection Regulation (GDPR). Our legitimate interests in this sense are our interest in the security and integrity of our website and the data on our web server (in particular fault and error detection, as well as tracking of unauthorized access), as well as marketing interests and interests in statistical surveys (to improve our website and our services and offers). Within the scope of a consideration, we have come to the conclusion that data processing is necessary to safeguard the aforementioned legitimate interests and that your interests or fundamental rights and freedoms, which require the protection of personal data, do not outweigh them.
Data of interested parties/data of press representatives: As far as we process data of interested parties of our services or of press representatives, this only happens if you enter this data in an input field or by e-mail for the purpose of an inquiry to us and send it to us. These entries are voluntary for you. We then process this data exclusively to process your request to us. The processing of this data voluntarily transmitted to us for the purpose of providing information about our services is carried out as pre-contractual processing in accordance with Art. 6 paragraph 1 letter b) General Data Protection Regulation (GDPR) and in addition on the basis of your consent given by transmission in accordance with Art. 6 paragraph 1 letter a) General Data Protection Regulation (GDPR).
Customer data: We process the data of our customers for the purpose of contract execution in accordance with Art. 6 paragraph 1 letter b) General Data Protection Regulation (GDPR) and/or on the basis of a given consent in accordance with Art. 6 paragraph 1 letter a) General Data Protection Regulation (GDPR). This also applies to processing procedures that are necessary to carry out pre-contractual measures (e.g. within the framework of the preparation and negotiation of offers).
Supplier data/data of business partners: We process the data of our suppliers and business partners for the purpose of contract processing in accordance with Art. 6 paragraph 1 letter b) General Data Protection Regulation (GDPR) and/or on the basis of a given consent in accordance with Art. 6 paragraph 1 letter a) General Data Protection Regulation (GDPR). This also applies to processing procedures that are necessary to carry out pre-contractual measures (e.g. within the framework of the preparation and negotiation of offers).
Recipients and Categories of Recipients of Personal Data
Your personal data will only be passed on or otherwise transmitted to third parties if this is necessary for the purpose of contract processing (e.g. to process an order or an order) or for billing purposes (e.g. to process the payment process for the purchase of goods or services) or if you have given your prior effective consent.
Categories of recipients can therefore be:
- shipping service providers, suppliers
- payment service providers, banks
B. Scope of processing of personal data via our website
We collect and use personal data of users in the context of using our website only to the extent that this is necessary for providing a functional website as well as our contents and services. The collection and use of personal data of our users generally only takes place with the user's consent. An exception applies in those cases in which prior consent cannot be obtained for real reasons and/or the processing of the data is permitted by legal regulations.
Provision of the website and creation of log files
For technical reasons, our system automatically collects data and information every time you visit our website. These are stored in the log files of the server:
- Date and time of access,
- URL (address) of the referring website (referrer),
- Web pages accessed by the user's system on and via our website (outbound URLs),
- Screen resolution of the user,
- Requested language and fallbacks, retrieved file(s), contents and notification of the success of the retrieval (up- & download),
- Quantity of retrieved/sent data (up- & download),
- Browser, browser type and version, browser engine and engine version,
- operating system, operating system version, operating system type, and the
- anonymized IP address of the user.
This data is processed separate from other data. These data are not processed together with other personal data of the user. It is not possible for us to assign this data to a specific person.
Purposes of data processing: The temporary processing of the data by the system is necessary to enable the contents of our website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website. In addition, the data serves us to optimize our offer and the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
Legal basis of data processing: The temporary storage of data and log files is based on the legal basis of Art. 6 paragraph 1 letter f) General Data Protection Regulation (GDPR). Our predominant legitimate interest in this data processing lies in the aforementioned purposes.
Duration of storage: The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
Possibility of objection and elimination: The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
Contact Form and e-mail Contact
There are contact forms available on our website which can be used for electronic communication. If a user accepts this possibility, the data entered in the input mask will be transmitted to us and stored.
These data are the following:
- e-mail address,
- Free text field for your message to us,
- Input field for spam checking.
At the time the message is sent, the following data is also stored:
- The IP address of the user,
- the date and time the message is sent.
Your consent is required and asked for for the processing of the data within the scope of the sending process and at the same time your attention is drawn to our legitimate interest in data processing. You will be informed again about the data processing and referred to this data protection declaration.
Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted by e-mail will be stored.
In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.
Purposes of data processing: The processing of personal data from the input mask serves us exclusively to process the establishment of contact and to process your request. In the event of contact, this also includes the legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
Legal basis for data processing: If the user provides consent, the legal basis for processing the data is Art. 6 para. 1 letter a) General Data Protection Regulation (GDPR) and otherwise our legitimate interest in data processing pursuant to Art. 6 para. 1 letter f) General Data Protection Regulation (GDPR). If the contact or your request is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 letter b) General Data Protection Regulation (GDPR) (implementation of pre-contractual measures). If a contract already exists (e.g. in case of a support request), we process the data according to Art. 6 para. 1 letter b) General Data Protection Regulation (GDPR) for contract implementation.
Duration of storage: Data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.For the personal data from the input mask of the contact form and those that were sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
In the case of data processing for contract execution, the data will be deleted by us at the latest when the contract is terminated and no further claims can be asserted under the contract.
Possibility of objection and elimination: The user has the possibility at any time to revoke his consent to the processing of personal data or to object to further data processing due to justified interest (cf. above reference to special right of objection). In such a case, the conversation cannot be continued.
The revocation of the consent or the objection of further data processing are made possible by informal communication to us (e.g. by e-mail).
All personal data stored in the course of contacting us will be deleted in this case.
If data processing can be continued (in part) on the basis of other legal bases (e.g. for the execution of the contract), the data covered by this will be processed further as permitted.
When individual pages are visited, we use so-called cookies. These are small text files that are stored on the user's device (PC, smartphone, tablet, etc.). If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic character string that enables a unique identification of the browser when the website is called up again.
In addition, cookies from third parties may be used. If this is the case, we will inform you separately in this data protection information about the respective third-party tools (such as analysis tools, plug-ins, etc.).
- Language settings,
- Selection of the time zone for displaying time data (converted into user time zone),
- Server user session cookie for linking server sessions to the respective visitor to enable script processing (pure session cookie that is deleted after the user's session/regarding all forms on the website, such as contact form and newsletter form).
We need cookies for the following applications:
- Adoption of language settings,
- Recognition of the user's time zone.
The user data collected by technically necessary cookies are not used to create user profiles.
The analysis cookies are used to improve the quality of our website and its content. Through the analysis cookies we learn how the website is used and can thus continuously optimize our offer.
Legal basis of data processing: The legal basis for the processing of personal data using cookies is Art. 6 para. 1 letter f) General Data Protection Regulation (GDPR), i.e. a legitimate interest on our part. Our legitimate interest lies in the above-mentioned purposes.
The legal basis for the processing of personal data using cookies for analytical purposes is also Art. 6 para. 1 letter a) General Data Protection Regulation (GDPR) if the user has given his or her consent in this regard.
Duration of storage, possibility of objection and removal: Some of the cookies we use are deleted after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your terminal and enable us or our partner companies to recognize your browser on your next visit (permanent cookies).
The website and thus the data transmissions via IT are encrypted according to the SSL standard (GeoTrust RSA CA encryption type SHA-256 with RSA encryption).
C. Rights of Data Subjects
Where personal data relating to you are processed, you are the "data subject", and as such have the following rights vis-à-vis us as the controller:
Right of Access
You have the right to obtain from us confirmation, free of charge, as to whether or not personal data concerning you are being processed by us. Where that is the case, you have a right of access to the personal data and further information pursuant to Art. 15 GDPR. For this purpose, you can contact us by mail or e-mail.
Right to Rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. For this purpose, you can contact us by mail or e-mail.
Right to Erasure
You have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds specified in Art. 17 GDPR applies. For this purpose, you can contact us by mail or e-mail.
Right to Restriction of Processing
You have the right to obtain from us restriction of processing where one of the grounds specified in Art. 18 GDPR applies. For this purpose, you can contact us by mail or e-mail.
Right to Notification
If you have asserted the right to rectification, erasure, or restriction of processing vis-à-vis us, we shall communicate this rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have a right vis-à-vis us to be notified about these recipients.
Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance by us where the grounds specified in Art. 20 GDPR apply. For this purpose, you can contact us by mail or e-mail.
Right to Object in the Case of Processing due to Our Legitimate Interests
Where we, by way of exception, process personal data on the basis of point (f) of Art. 6 (1) GDPR (i.e. for the purposes of legitimate interests), you have the right to object to our processing of personal data concerning you at any time for reasons relating to your particular situation. If we cannot demonstrate any compelling legitimate grounds for the further processing that override your interests, rights, and freedoms or if we process the respective data for direct marketing purposes, we will no longer process your data (see Art. 21 GDPR). For this purpose, you can contact us by mail or e-mail. An objection in this meaning may also be a technical procedure that you use, e.g. clear technical information that your web browser sends us ("do not track" notification).
Right to Object if Consent Has Been Granted
You may revoke any previously granted consent to the collection and use of personal data at any time with effect for the future. For this purpose, you can contact us by mail or e-mail. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Automated Decision-Making including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into, or performance of, a contract between you and us, is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent.
Freedom of Provision of Data
If the provision of personal data is required by law or contract, we will always indicate this when collecting the data. Some of the data collected by us are required for the conclusion of a contract, namely if we could otherwise not or not sufficiently fulfill our contractual obligation toward you. You are under no obligation to provide personal data. However, in the event of non-provision, we might be unable to perform or offer a service, action, measure, etc. requested by you or conclude a contract with you.
Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other rights, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection law.
Revision: May 2018