Privacy

Privacy Statement: GDPR

(General Data Protection Regulation)

Welcome to our website!

The Schöpflin Foundation in Lörrach, Germany, attaches great importance to compliance with the provisions of data protection regulations.  As a rule, it is possible to use our website without having to provide any personal data.  If, however, you make use of specific services via our website, we may need to process personal data.  Should we need to do this but no legal basis exists for processing the personal data, we shall seek your permission before we do so.

We shall always process your personal data – e.g. name, address, email address or telephone number – in accordance with the General Data Protection Regulation (GDPR) and the latest version of the German Federal Data Protection Act (known as the BDSG), and in compliance with any other data protection regulations currently in force in Germany.  By way of this Privacy Statement, we would like to inform you of the nature, extent and purpose of the personal data that we collect, use and process.

This Privacy Statement also sets out your rights in this regard.

As a data ‘controller’ (see definitions below) we have put in place numerous technical and organisational measures to ensure that the personal data processed via this website are as secure as possible.  However, web-based data transfer (e.g. emails) may not be completely secure and as such it is not possible to guarantee absolute data security.  For this reason, you are very welcome, at any time, to transmit personal data to us by alternative means – e.g. by telephone or by post.

Definitions

Our Privacy Statement is based on the terminology used in European directives and by the European regulator in relation to the adoption of the General Data Protection Regulation (GDPR).  Our aim is to ensure that our Privacy Statement is straightforward to read and understand – both for the general public and for our clients and partners.  In order to ensure this, we begin by listing the terms used, as defined in Article 4 of the GDPR:

a) Personal Data
Personal Data means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’ or addressed directly, e.g. ‘you’).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data Subject
A Data Subject is any identified or identifiable natural person whose personal data is processed by those responsible for processing data.

c) Processing
Processing means any operation or set of operations which is performed on personal data – whether or not by automated means – such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of Processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

e) Pseudonymisation
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

f) Controller
The controller – or the person or body responsible for processing data – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

g) Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

h) Recipient
Recipient means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not.  However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

i) Third Party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

j) Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Name and Address of the Body Responsible for Data Processing

The controller – as defined by the General Data Protection Regulation, by other data protection laws applicable in EU Member States, and by other regulations and provisions relating to data protection – is:

Schöpflin Stiftung (Foundation)
Industriestr. 2
79541 Lörrach
Germany

Tel: +49 7621-98690-00
Email: kontakt@remove-this.schoepflin-stiftung.de

Data Protection Officer

The Schöpflin Foundation has appointed an external data protection officer:

Sebastian Koye
Datenschutzklinik
Basler Landstr. 115
79111 Freiburg
Germany

Tel: +49 761-59519814
Email: datenschutz@remove-this.datenschutzklinik.de

Cookies

Our website uses cookies.  These are small text files that are placed on your computer by your internet browser (e.g. Firefox, Chrome, Safari, Edge, internet Explorer, Opera).

Many websites and servers use cookies.  Many cookies contain a cookie ID.  This is a unique identifier made up of a sequence of characters which enables websites and servers to identify a user’s unique internet browser on which the cookie was stored.  This enables websites and servers you visit to distinguish between your internet browser and other people’s browsers which also contain cookies.  A unique cookie ID is therefore able to recognise and identify a specific internet browser.

By using cookies, we can provide our website users with more user-friendly services; this would not be possible without the use of cookies.

You may at any time adjust the settings on your browser to prevent our website from storing cookies on your computer and thereby permanently reject the use of cookies.  Furthermore, you can, at any time, adjust your internet browser settings or use other software to remove cookies already placed on your computer.  All modern internet browsers have this function.  If you decide to deactivate cookies on your browser, you may not be able to make full use of all the functions on our website.

Collection of general data and information via the website

When you visit our website, our system collects a set of general data and information.   This general data and information is stored in our server’s logfiles.  The following information can be collected: (1) the type and version of the browser you use; (2) the operating system used by your computer; (3) the website via which your computer accessed our website (the so-called ‘referrer’); (4) sub-sites directed to our website via an accessing system; (5) the date and time of each access to our website; (6) the Internet Protocol Address (IP address); (7) the internet service provider of the accessing system; and (8) other similar data and information that serve to protect our IT systems against attack.

In using this general data and information we draw no conclusions about you as the data subject.  Instead this information is needed for the following reasons: (1) to ensure the proper delivery of the contents of our website; (2) in order to optimise the content of our website and adverts; (3) in order to guarantee the operational reliability of our IT systems and the technology used to run our website; and (4) in order, in the event of a cyber-attack, to provide law enforcement agencies with the necessary information for them to make a prosecution.  This anonymously collected data and information is therefore analysed by us both statistically and in order to enhance data protection and data security within our organisation, ultimately in order to ensure the best possible level of protection for the personal data that we process.  The anonymous data on the server logfiles are stored separately from all personal data provided by a data subject.

Contact details provided via the website

Our website contains a contact form that facilitates rapid electronic contact with our organisation and direct communication with us; the website also provides a generic address for so-called electronic mail (i.e. email address).  When a data subject contacts us by email or via the contact form the personal data provided by the data subject are automatically stored.  This personal data thus freely provided to us by a data subject for due processing shall be stored for processing purposes or for the purpose of contacting the data subject.  As soon as these purposes have been completed (e.g. once your inquiry has been processed and completed), the personal data shall be deleted. The only exception to this shall be any statutory data retention rules which we are legally obliged to observe.

Deletion and blocking of personal data

We shall only store your personal data for as long as the storage purpose applies or for as long as provided for by European directives and by the European regulator or by other laws and regulations to which we are subject.

Should the storage purpose no longer apply or should a data storage period as defined by European directives and by the European regulator or by other relevant legislation expire, your personal data shall be deleted or blocked in accordance with the relevant legal provisions.

Data subject’s rights

a) Right to information
You have the right, as conferred by European directives and the European regulator, to be informed by us at any given time and free of charge as to whether or not we have stored personal data about you.

Should this indeed be the case, you then have the right to the following information:

the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning the data subject by us or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

If you wish to assert your right to information you may do so at any time by contacting us.

b) Right to rectification
The data subject has the right, as conferred by European directives and the European regulator, to obtain without undue delay the rectification of inaccurate personal data concerning him or her.  Furthermore, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If you wish to assert your right to rectification you may do so at any time by contacting us.

c) Right to erasure (right to be forgotten)
You have the right, as conferred by European directives and the European regulator, to obtain from us the erasure of your personal data without undue delay where one of the following applies and provided the processing thereof is no longer required:

  • if one of the above noted grounds applies and you wish us to erase your personal data that we have stored, you may contact us to this effect at any time;
  • if we have made your personal data public and we are obliged pursuant to Article 17 (1) of the GDPR to erase that personal data, we – taking account of available technology and the cost of implementation – shall take reasonable steps to inform other data controllers (e.g. data processors) that are processing your personal data that you have requested the erasure of your personal data or copies thereof.  This shall be carried out provided the data does not need to be processed in order to comply with other legal provisions;
  • if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • if you withdraw consent on which the processing is based according to point (a) of Article 6 (1) of the GDPR or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
  • if you object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) of the GDPR;
  • if your personal data have been unlawfully processed;
  • if your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we, the data controller, are subject;
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR.

If you wish to assert your right to erasure you may do so at any time by contacting us.

d) Right to restriction of processing
You have the right, as conferred by European directives and the European regulator, to obtain from us restriction of processing where one of the following applies:

  • one of the above noted provisions applies and you demand the restriction of personal data that we have stored;
  • the accuracy of the personal data is contested by you, for a period enabling us as the data controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we, as the data controller, no longer need the personal data for the purposes of the processing, but they are required by you, as the data subject, for the establishment, exercise or defence of legal claims and as such you wish, for example, to prevent the erasure of the personal data;
  • you have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether the legitimate grounds asserted by us, as data controller, override your own, as the data subject.

If you wish to assert your right to restriction of processing, you may do so at any time by contacting us.

e) Right to data portability
You have the right, as conferred by European directives and the European regulator, to receive the personal data which you have provided to us, as data controller, in a structured, commonly used and machine-readable format.

You also have the right to transmit these data to another data controller without hindrance from us provided the processing is based on consent pursuant to point (a) of Article 6 (1) of the GDPR or point (a) of Article 9 (2) of the GDPR or on a contract pursuant to point (b) of Article 6 (1) of the GDP; and the processing is carried out by automated means, provided the processing is not required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

You also have the right of data portability as per Article 20 (1) of the GDPR and can demand that your personal data be transmitted – where technically feasible - directly from us to another data controller without hindrance or detriment; this right shall not adversely affect the rights and freedoms of others.

If you wish to assert your right to data portability, you may do so at any time by contacting us.

f) Right to object
You have the right, as conferred by European directives and the European regulator, to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on point (e) or (f) Article 6 (l) of the GDPR.  This shall also apply to profiling based on these provisions.

In the event of such an objection as described above, we shall no longer process your personal data unless we, as the data controller, can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or such processing is necessary for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes you shall have the right to object at any time to the processing of your personal data for such marketing.  This shall also apply to profiling to the extent that it is related to such direct marketing.  If you object to us processing your personal data for the purposes of direct marketing, we shall no longer process your personal data for such purposes.

Furthermore, where your personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, you – as the data subject – on grounds relating to your particular situation, shall have the right to object to the processing of your personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

If you wish to assert your right to object, you may do so at any time by contacting us.  In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

g) Right to withdraw consent for the use of personal data
You have the right, as conferred by European directives and the European regulator, at any time to withdraw your consent for the processing of your personal data.

If you wish to assert your right to withdraw your consent for the use of personal data, you may do so at any time by contacting us.

h) Right to lodge a complaint with a supervisory authority
You have the right, as conferred by European directives and the European regulator and without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you, as the data subject, consider that the processing of your personal data infringes this Regulation.

Integrating Vimeo

On our website we also integrate Vimeo videos into our content. Vimeo is a platform provided by Vimeo Inc.
Contact details: Legal Department, 555 West 18th Street, New York 10011 USA

You can find the Vimeo privacy policy via the following link: https://vimeo.com/privacy

We would also like to point out that Vimeo may use Google Analytics.  We therefore refer you to Google’s privacy policy: https://www.google.com/policies/privacy

For opt-out options from Google Analytics, please see the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Details on how to prevent Google from using your data for marketing purposes can be found via the following link: https://adssettings.google.com/

Integrating YouTube

On our website we also integrate YouTube videos into our content. YouTube is a platform provided by Google LLC
Contact details: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

You can find the YouTube privacy policy via the following link: https://www.google.com/policies/privacy/

For opt-out options, please see the following link: https://adssettings.google.com/authenticated

Integrating Google Maps

On our website we also integrate maps provided by the Google Maps service.

The Google Maps service is provided by Google LLC
Contact details: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

The data processed by Google Maps can include, specifically, IP addresses and user locations.  These data are not however collected without the user’s consent – which is usually provided via settings on your mobile device.  This data can be processed in the USA.

You can find the Google Maps privacy policy via the following link: https://www.google.com/policies/privacy/

For opt-out options, please see the following link: https://adssettings.google.com/authenticated

Newsletters

If you subscribe to our newsletter, you are declaring both that you consent to receiving the newsletter and to the method by which it is sent to you, details of which are set out below.

We only send emails containing adverts (hereinafter referred to as ‘Newsletters’) if we have the consent of the recipient and provided the recipient has given this consent in a way that has been properly logged or through a statutory authorisation.  Provided the content of our newsletter is clearly described when a person subscribes to it, this description shall be deemed to be the basis on which the subscriber gives his or her consent to subscribe.  Our newsletters also contain information about our services and about our organisation.

Subscribing to our newsletter is done via the so-called double opt-in procedure.  This means that once you have registered to receive our newsletter, you will receive an email which asks you to confirm that you wish to subscribe.  This confirmation is necessary in order to avoid people subscribing by using someone else’s email address.  Subscriptions to our newsletter are logged so that we can demonstrate that we have complied with the legal requirements relating to the registration process.  This includes storing the registration and confirmation times, as well as the IP address.  Equally any changes to your stored data will be logged with our mailing service provider.

Subscription data: in order to subscribe to our newsletter, we only require your email address.  We also request – but this is optional only – that you provide us with your name so that we can address the newsletter to you by name.

The despatch of the newsletter and any performance measurement associated with it shall be done on the basis of the consent of the recipient in accordance with Article 6 §1 (a) and Article 7 of the GDPR and in conjunction with §7 (2) no. 3 of the UWG (German Fair Trade Practices Act) or, as the case may be, on the basis of legal permission as per §7 (3) of the UWG.

The logging of the registration process shall be carried out on the basis of our legitimate interests as per Article 6 §1 (f) of the GDPR.  Our interests are to provide a user-friendly and secure newsletter system that both serves our business interests and meets our users’ expectations.  The system also needs to provide us with verification of consent from our newsletter subscribers.

You are free at any time to withdraw your consent to receiving our newsletter.  You can do this in writing, by telephone or by email.  You will also find the unsubscribe link at the end of each newsletter.  We are entitled to store, for up to three years, the email addresses of newsletter recipients who have unsubscribed; these email addresses will then be deleted.  This right of storage is granted to us on the basis of our legitimate interests, namely that we need to be able to prove that a subscriber did at one point in time give us consent to receive our newsletter.  The processing of these data shall be limited to defending any potential claims.  You may at any time request the erasure of these data provided that any such request includes confirmation of the former existence of your consent to receive the newsletter.

Lawfulness of Processing

The legal basis we shall use for processing procedures – where we obtain consent for a specific processing purpose – shall be Article 6 §1 (a) of the GDPR.  If the processing of the personal data is necessary for the performance of a contract to which you, as the data subject, are party – which may, for example, be the case for data processing which we need to carry out in order to provide our service or to meet other commitments – this processing shall be governed by Article 6 §1 (b) of the GDPR.

The same shall also apply to those processing procedures which are required for the implementation of pre-contractual measures – namely in the event of requests for our products or services.  Where our organisation is subject to a legal obligation that necessitates the processing of personal data, e.g. in order to comply with taxation obligations, such processing shall be carried out in accordance with Article 6 §1 (c) of the GDPR.

In rare cases it may be necessary to process personal data in order to protect the vital interests of a data subject or of another natural person.  An example of this would be if a visitor to our offices were to be injured and then that person’s name, age, health insurance data or other vital information needed to be passed on to a doctor, hospital or other third party.  In such cases the processing of personal data would be governed by Article 6 §1 (d) of the GDPR.

Finally processing procedures may be carried out in accordance with Article 6 §1 (f) of the GDPR.  This provision covers processing procedures not covered by any of the provisions above where the processing is necessary for the purposes of the legitimate interests pursued by our organisation or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.  These processing procedures are granted to us in particular because they are specifically mentioned in the recitals to the GDPR.  In this regard, the text states that such legitimate interest could exist if you, as a data subject, are our client (see recital 47, sentence 2, of the GDPR).

Legitimate interest in processing carried out by us or third parties

Insofar as the processing of personal data is based on Article 6 §1 (f) of the GDPR, our legitimate interest is the performance of our business activity to the good of all our colleagues and shareholders.

Storage period for personal data

The criterion for the storage period for personal data is the currently applicable retention period legislation.  Below, by way of example, we have listed two current regulations:

  • 6 years pursuant to § 257 (1) of the HGB (German Commercial Code).  This covers account books, inventories, opening balance sheets, endof-year accounts, commercial letters, accounting documents etc.
  • 10 years pursuant to § 147 (1) of the AO (German Tax Code).  This covers accounts, records, management reports, accounting documents, commercial letters, documents relating to tax issues, etc.

Once the retention period has expired the relevant data are routinely erased, provided they are no longer required to perform or initiate a contract.

Legal or contractual regulations governing the provision of personal data; necessity for the conclusion of contracts; requirement of the data subject to provide personal data; possible consequences of the failure to provide data

We hereby inform you that the provision of personal data is, in part, a legal requirement (e.g. tax regulations) or can arise from contractual arrangements (e.g. contractual partner details).

Sometimes, in order to conclude a contract, it may be necessary that you, as a data subject, provide us, as a data controller, with data that we then need to process.  You are for example required to provide us with personal data if our organisation concludes a contract with you.  If, in such a scenario, you did not provide us with these personal data, then we would not be able to conclude the contract with you.

Before providing us with personal data, please contact us.  We will be pleased to explain to you whether, in your specific case, the provision of personal data is a legal or contractual requirement or if it is required in order to conclude a contract.  We will also be able to explain whether or not you are under an obligation to provide these personal data and what the consequences would be of not providing the personal data requested.

Use of Matomo (formerly Piwiki)

(1) This website uses the web analytics software platform, Matomo, to analyse how the Foundation’s website is used and to enable us to make regular improvements to the site.  By using the information gathered in this way we are able to improve our service and make it more interesting for you as a user.  The legal basis for the Foundation’s use of Matomo is Article 6, para. 1 (f) of the GDPR (EU General Data Protection Regulation).

(2) In order to carry out this data analysis, cookies are stored on your computer.  Information gathered in this way will be stored by the controller exclusively on the controller’s server in [Germany].  You have the right to block this data analysis by deleting relevant cookies and by blocking further cookies from being stored on your computer.  Please be aware that by blocking cookies you may no longer be able to make full use of this website.  You can block cookies by appropriately adjusting your browser software.  You can block the use of Matomo by unchecking the following box which will then activate the opt-out plug-in.

(3) This website uses Matomo and its ‘Anonymize IP’ extension.  This abbreviates IP addresses and thus prevents them being directly linked to an individual.  The IP address that we receive from your browser via Matomo is not amalgamated with other data that we gather.

(4) Matomo is an open-source project.  For more information about data protection in relation to third party service providers, please use the following link: https://matomo.org/privacy-policy/.