Data Privacy Statement
This data privacy statement explains the type, scope and purpose of processing personal data (hereinafter “data”) within our online service and its related websites, functions and content as well as external websites, e.g. our Social Media Profile (hereinafter jointly referred to as “online service”). With regard to the terms used, e.g. ‘processing’ or ‘controller’, please refer to the Definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Eva Mayr-Stihl Stiftung
Eva Mayr-Stihl Platz 2
Phone: +49 7151 96633 - 0
Robert Mayr, Michael von Winning
Types of data processed
- Personal data (e.g. names, addresses).
- Contact data (e.g. email, phone numbers).
- Content data (e.g. text entries, photos, videos).
- Usage data (e.g. websites visited, interest in content, access times).
- Metadata /communications data (e.g. device information, IP addresses).
Purpose of processing
- Making available the online service, its functions and content.
- Answering contact requests and communicating with users.
- Security measures.
- Coverage measurement / marketing
‘Personal data’ is all information relating to an identified or identifiable natural person (hereinafter referred to as ‘party affected’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics which express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ is any operation or set of operations which is performed on personal data or on sets of personal data with or without the aid of automated methods. The term is far reaching and includes practically any dealings with data.
The ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal bases
In accordance with Art. 13 GDPR we notify you about the legal bases of our data processing operations. If the legal basis is not named in the data privacy statement, the following applies: The legal basis for obtaining consents is Art. 6, para. 1, letter a) and Art. 7, GDPR, the legal basis for processing to fulfil our services and carry out contractual measures and answer requests is Art. 6, para. 1, letter b) GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6, para. 1, letter c) GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6, para. 1, letter f) GDPR. If vital interests of the part affected or another natural person necessitate the processing of personal data, Art. 6, para. 1, letter d) GDPR serves as the legal basis.
We ask you to regularly inform yourself about the content of our data privacy statement. We amend the data privacy statement as soon as it is necessitated by changes to the data processing operations we perform. We will inform you as soon as the amendments require action on your part (e.g. consent) or any other individual notification.
Co-operation with processors and third parties
If we disclose data to other persons and companies (processors or third parties) in the course of our processing, transfer it to them or otherwise allow them access to the data, this will take place only on the basis of a legal permit (e.g. if the transfer of data to a third party, such as a payment service provider, is necessary for performance of a contract in accordance with Art. 6, para. 1, let. b) GDPR), on the basis of your consent, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when appointing authorized representative, web hosting services, etc.).
If we commission third parties with processing data on the basis of a so-called ‘processor contract’, this will take place on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the course of using the services of third parties or when disclosing or transferring data to third parties, this takes place only when it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permits, we process or have the data processed in a third country only when the special prerequisites of Art. 44 ff GDPR apply. That means processing takes place, e.g. on the basis of special guarantees, such as the officially recognized establishment ((ascertainment)) of a data protection level equivalent to that of the EU (e.g. by the “Privacy Shield” for the U.S.A.) or observance of officially recognized special contractual obligations (so-called “standard contract clauses”).
Rights of parties affected
You have the right to demand a confirmation as to whether personal data is being processed and to information about such data as well as further information and a copy of the data in accordance with Art 15 GDPR.
According to Art. 16 GDPR you have the right to demand the completion of incomplete data concerning you or the correction of incorrect data concerning you.
According to Art. 17 GDPR you have the right to demand that personal data concerning you is deleted without delay or, according to Art. 18 GDPR, demand a restriction of processing.
According to Art. 20 GDPR you have the right to demand that you receive personal data concerning you, which you have provided to us, and that it be transmitted to other controllers.
Furthermore, according to Art. 77 GDPR you have the right to lodge a complaint with the responsible supervisory authority.
Right to revocation
According to Art. 7, para. 3 GDPR you have the right to revoke consents given to collect and store data in the future.
Right to object
According to Art. 21 GDPR you can object at any time to the future processing of personal data concerning you. In particular the objection can be made against processing for the purposes of direct marketing.
Cookies and right to object in case of direct marketing
‘Cookies’ are small files that are stored on users’ computers. A variety of information can be stored in the cookies. A cookie is used primarily to track information about a user (or the device on which the cookie is stored) while or even after he or she visits an online site. Temporary cookies, i.e. session cookies or transient cookies, are those that are deleted after a user leaves the site and closes his or her browser. Such a cookie can, for example, store the contents of a shopping trolley in an online shop or a login status. Persistent cookies are those that remain stored after closing the browser. For example, the login status can be stored and reactivated when the user returns to a site after several days. Similarly, the interests of the user can be stored in such a cookie and used for coverage measurement or marketing purposes. ‘Third party cookies’ are defined as cookies which are used by suppliers other than the controller who operates the online service (they are called ‘first party cookies’ if only the controller’s cookies are stored).
We may employ temporary and persistent cookies and provide information to that effect within the scope of our data privacy statement.
If users do not want to have cookies stored on their computers, they are asked to disable the appropriate option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies may restrict the functionality of this online service.
Deletion of data
The data processed by us is deleted or its processing is restricted in accordance with Art. 17 and 18 GDPR. Unless specifically mentioned in this data privacy statement, the data we store will be deleted as soon as it is no longer necessary for the purpose for which it was collected and its deletion does not conflict with any legal obligation to preserve commercial records. If the data is not deleted because it is necessary for other and legally permissible purposes, its processing will be restricted. This means the data will be made inaccessible and not processed for other purposes. For example, this applies to data that must be preserved for commercial or fiscal reasons.
According to statutory provisions in Germany, data must be preserved for 6 years according to Section 257, para. 1 German Commercial Code (account books, inventories, opening balance sheets, annual financial statements, commercial letters, journal vouchers, etc.) and for 10 years according to Section 147, para. 1 Revenue Code (books, records, management reports, journal vouchers, commercial and business letters, documents relevant for taxation, etc.).
According to the statutory provisions in Austria, data must be retained for 7 years according to Section 132, para. 1 Federal Revenue Code (accounting documents, vouchers/invoices, accounts, business papers, list of receipts and expenses, etc.), for 22 years in connection with land and for 10 years in the case of documents related to services provided electronically, telecommunications, radio and TV services provided to non-entrepreneurs in EU member states and utilized for the Mini-One-Stop-Shop (MOSS).
The hosting services we use serve to make available the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services which we use for the purpose of operating this online service.
In this process we or our host provider process personal data, contact data, content data, contractual data, usage data, metadata and communications data of customers, interested parties and visitors to this online service on the basis of our legitimate interests in providing this online service efficiently and securely pursuant to Art. 6, para. 1, letter f) GDPR in conjunction with Art. 28 GDPR (conclusion of processor contract).
Collection of access data and logfiles
We or our host provider collect data on every access to the server on which this service is located (so-called logfiles) on the basis of our legitimate interests in the spirit of Art. 6, para 1, letter f) GDPR. The access data includes the name of the website invoked, file, date and time of access, volume of data transmitted, report on successful access, browser type and version, user’s operating system, referrer URL, IP address and the inquiring provider.
Logfile information is stored for security reasons (e.g. to investigate misuse or fraudulent activities) for a period of no more than 7 days and subsequently deleted. Data that has to be kept for longer for use as evidence is exempted from deletion until final clarification of the incident in question.
Performance of our statutory and business services
We process the data of our members, supporters, interested parties, customers or other persons according to Art. 6, para. 1, letter b) GDPR if we offer them contractual services or take action within the scope of existing business relations, e.g. vis-à-vis members, or are ourselves the recipient of services and donations. Apart from that, we process the data of affected parties according to Art. 6, para. 1, letter f) GDPR on the basis of our legitimate interests, e.g. when administrative tasks or public relations work are involved.
The data processed in this case, the nature, scope and purpose and necessity of its processing are determined by the underlying contractual relationship. This always includes personal and master data of the persons (e.g. name, address, etc.) as well as the contact data (e.g. email address, phone number, etc.), contract data (e.g. services used, content and information communicated, names of contact persons) and, if we offer services or products requiring payment, payment data (e.g. bank account, payment history, etc.).
We delete data that is no longer necessary for performance of our statutory and business purposes. This is determined according to the respective tasks and contractual relations. In the case of commercial processing we preserve the data as long as it may be relevant for completion of the business and also with regard to any warranty or liability obligations. The necessity for preserving data is reviewed every three years; in other respects the statutory obligations to preserve commercial records apply.
Administration, financial accounting, office organization, contact management
We process data within the scope of management tasks as well as the organization of our business, financial accounting and compliance with legal obligations, e.g. archiving. In doing so we process the same data which we process in performing our contractual services. The bases for processing are Art. 6, para. 1, letter c) GDPR, Art. 6, para. 1, letter f) GDPR. Customers, interested parties, business partners and website visitors are affected by processing. The purpose and our interest in processing is in administration, financial accounting, office organization, archiving data, i.e. tasks that serve our business activities, exercising our tasks and performing our services. The deletion of data with regard to contractual services and contractual communications conforms to information indicated for these processing operations.
In doing so we disclose or transmit data to the fiscal authority, consultants, e.g. tax consultants or public accountants as well as other authorities and payment service providers.
Furthermore, we store on the basis of our business interests details of suppliers, event organizers and other business partners, e.g. for the purpose of making contact at a later date. As a matter of principle we store this predominantly company-related data permanently.
When contact is made with us (e.g. by contact form, email, phone or via social media) the details of the user are used in order to process the contact request and its handling in accordance with Art. 6, para. 1, letter b) GDPR. The details of the users may be stored in a Customer Relationship Management System (CRM System) or comparable organization system.
We delete the requests if they are no longer needed. We review the necessity every two years; furthermore, the statutory archiving obligations apply.
Coverage measurement with Matomo
For the purposes of the coverage analysis by Matomo the following data is stored on the basis of our legitimate interests (i.e. interest in the analysis, optimizing and economic operation of our online service in the spirit of Art. 6, para. 1, letter f) GDPR): the browser type and browser version you use, the operating system you use, your country of origin, date and time of the server request, the number of visits, the time you spend on the website and the links you activate. The user’s IP address is anonymized before it is stored.
Users may object at any time to anonymized data collection by the Matomo program in the future by clicking on the link below. In such a case a so-called ‘opt out cookie’ is installed on your browser which prevents Matomo collecting any session data. However, when users delete their cookies it means that the ‘opt out cookie’ is also deleted and therefore has to be reactivated by the users.
The logs with the data of users are deleted after no more than 6 months
Integration of third-party services and content
On the basis of our legitimate interests (i.e. interest in the analysis, optimizing and economic operation of our online service in the spirit of Art. 6, para. 1, letter f) GDPR) we use within our online service the content or service packages of third-party suppliers in order to integrate their content and services, e.g. videos or typefaces (hereinafter referred to as ‘content’).
This always assumes that the third-party suppliers of such content identify the IP address of the user because they would not otherwise be able to transmit the content to the browser without the IP address. The IP address is thus necessary to show such content. We endeavor to use only content whose respective supplier uses the IP address solely to deliver the content. Furthermore, third-party suppliers may employ so-called pixel tags (invisible graphics also known as web beacons) for statistical or marketing purposes. The pixel tags enable information such as the visitor traffic on the pages of this website to be analyzed. Furthermore, information under pseudonyms may be stored in cookies on the user’s device and contain among other things technical information on the browser and operating system, referenced websites, duration of visits as well as other details on the use of our online service, and also combined with such information from other sources.