Data Protection and Privacy Statement
Basic information
Data subjects
This data protection and privacy statement is aimed at all persons who visit this website.
Controller
The controller for the processing described herein is:
Lufthansa Innovation Hub GmbH
Brunnenstrasse 19-21
10119 Berlin, Germany
represented by its managing director Christine Wang.
datenschutz@lh-innovationhub.com
The Group Data Protection Officer – FRA CJ/D can be reached as follows:
datenschutz@dlh.de
Deutsche Lufthansa AG
Airportring – LAC
60546 Frankfurt, Germany
Rights
(1) Data subjects have the following rights with regard to the data stored concerning them personally: the right of access to information, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer any reason for storage, and the rights to restriction of processing and to data portability. Moreover, they have the right to lodge a complaint with the supervisory authority with jurisdiction over the controller.
(2) Where the processing is based on consent granted by the data subjects, the data subjects are permitted to withdraw that consent at any time, with effect for the future. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required.
(3) Where the processing is based on fulfillment of a legitimate interest, meaning on point (f) of Article 6(1) of the EU General Data Protection Regulation (GDPR), the data subjects are permitted to object to the processing at any time. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required. If the objection is justified, the processing will be discontinued. Where the legitimate interest lies in direct marketing, an objection is always deemed to be justified.
Transfers of data to countries outside the European Union
(1) Where personal data are transferred to bodies outside the European Union, the controller is obligated to communicate additional safeguards pursuant to Articles 44 et seqq. GDPR.
(2) Where the controller invokes what is known as an adequacy decision in the data protection and privacy statement that follows, this means the recipient is located in a country, territory, or specified sector that the European Commission has decided offers an adequate level of data protection. In these cases, the guarantee follows from Article 45 GDPR.
(3) Where the controller invokes what are known as the EU standard contractual clauses in the data protection and privacy statement that follows, this means that the recipient has undertaken a contractual commitment to observe the EU data protection principles on the basis of what are known as the EU standard contractual clauses. In these cases, the guarantee follows from Article 45 GDPR.
(4) Where the controller invokes what are known as binding corporate rules in the data protection and privacy statement that follows, this means the competent supervisory authority has approved the transfer. In these cases, the guarantee follows from Article 47 GDPR.
(5) Where, in the data protection and privacy statement that follows, the controller invokes the fact that the data subjects have expressly consented to the transfer of their data to a country outside the European Union, this means that they are aware of all of the associated risks and consent to the transfer nevertheless. In these cases, the guarantee follows from point (a) of Article 49 (1) GDPR. In this context, please note the following risks: There are no codified provisions of law on data protection and privacy that are comparable to the GDPR in the United States, the Republic of India, or the Russian Federation. The authorities there have given themselves extensive access to data, and the principle of proportionality stipulated in the EU does not apply. Moreover, these countries do not provide any effective legal protections for EU citizens.
(6) The foregoing information is provided by way of precaution only. It applies only if and insofar as the data protection and privacy statement that follows makes reference thereto.
Further remark
(1) No automated decision making, including profiling, takes place.
(2) There is no legal obligation of processing except where point (c) of Article 6(1) GDPR is referenced below.
Processing operations in conjunction with contracts
Purpose and legal basis
Unless otherwise indicated in this section (“Processing operations in conjunction with contracts”), the purpose of all processing operations described in this section is to establish, perform, and/or terminate contracts. The legal basis is as follows in the following cases: a. for contracts that are not employment contracts, point (b) of Article 6(1) GDPR. b. for employment contracts, Article 88 GDPR in conjunction with Sec. 26 (1) of the 2018 version of the German Federal Data Protection Act (BDSG 2018).
Duration of storage
We process your data as long as it is necessary for the fulfilment of our contractual and legal obligations. When the purpose for which your data was processed ceases to apply, it will be deleted, unless its retention is required for the following purposes:
Fulfilment of retention periods under commercial and tax law, such as those arising from the German Commercial Code or the German Fiscal Code; these periods are up to 10 years.
Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years. In these cases, your data will be blocked so that it can no longer be processed for other purposes.
Deletion of your account
If you no longer wish to use the services of the App, you can delete your account at any time. Your personal data collected in the course of using the App will then be deleted immediately - subject to conflicting retention reasons and obligations. You can delete your account yourself by contacting us at welcome@lh-innovationhub.com Likewise, we reserve the right to delete your account if you have not used it for 2 years.
Tracking tools and cookies
Tracking tools This website uses Google Analytics, a web analytics service provided by Google Ireland Limited ("Google"). Google Analytics uses cookies that are stored on your terminal device and that enable an analysis of the use of our website. The information generated by the cookies about your use of our website is usually transferred to a Google server in the USA and stored there. As part, of the use of Google Analytics, personal data such as IP address, location, time spent on the website and demographic characteristics are collected and processed. This data is used exclusively for the analysis of user behaviour on our website and serves to improve the offer for our users. You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of our website. You can also prevent the collection of data generated by the cookie and related to your use of our website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. For more information on Google's use of data, settings and opt-out options, please see Google's privacy policy: This website.
Cookies This website and uses cookies to provide you with an optimal user experience and to collect statistical data about the use of our website. Cookies are small text files that are stored on your terminal device and contain certain information. By using cookies, we can make it easier for you to navigate our website and tailor our services to your needs. There are two types of cookies that we use: On the one hand, technically necessary cookies are essential for the function of the website. These include, for example, cookies that store your login data or the language settings of your browser. On the other hand, we also use cookies for analysis purposes. These cookies enable us to analyze the use of our website and to improve our offer. The analytics cookies we use come from third-party providers, such as Google Analytics, and collect information such as your IP address, browser type, the operating system of your terminal device, and similar data. You can control the use of cookies at any time via your browser settings and, if necessary, also reject them. Please note, however, that in this case, you may not be able to use all the functions of our website to their full extent.
Scheduling of appointments
In brief: Data subjects can schedule appointments with this controller on this website, with the controller receiving, storing, and using all of the data required in order to make the appointment.
Processing in detail: If the data subjects wish to make an appointment for an interview with this controller, they can view available appointment dates and times and simply select one via an appointment scheduling portal that is integrated into this website. This controller will then receive a notification from the appointment scheduling portal.
Data that are processed: All data collected during scheduling of an appointment (typically name, email address, appointment date and time).
Third-party provider: The appointment scheduling tool Calendly from provider Calendly LLC BB&T (USA) is used. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links:
https://calendly.com/de/pages/privacy
and https://calendly.com/de/pages/security
. The fact that the provider is based outside the EU, in this case in the United States, and processes data, also does not conflict with the data processing operations. This is because no transfer of data controlled by the controller within the meaning of Article 44 GDPR takes place. The controller has not incorporated the appointment scheduling page into its own Internet page (for instance via iframe), but instead has incorporated a call to action button via which the data subject independently accesses the Calendly website. For this reason, it is not the controller that transfers the data subject’s data to the United States, but rather the data subject him- or herself. Even if this were viewed differently, the provider has, at the least, undertaken an obligation in accordance with the EU standard contractual clauses (Article 46 GDPR).
Automated communication and interaction
In brief: The controller uses the data subjects’ communication and interaction data for automated communication and interaction with the data subjects.
Your personal data
The following personal data is processed in the course of using the platform:
First and last name (optional)
Email address
Phone number (optional)
Document number (optional)
Date of birth (optional)
In order to register to the waitlist, we integrate the service provider Typeform SL, Pallars 108 (Attico - Typeform), 08018 - Barcelona (Spain). This tool is used on the basis of Art. 6 sect. 1 lit. b GDPR. For more details on the privacy policy of Typeform, follow this link: https://admin.typeform.com/to/dwk6gt. Within an on our website embedded form, the user is asked to enter personal information which will then be processed by us. Some of the information is required, such as your contact details. If you contact us by email regarding your booking request, we will process your email address and the content of the email. We keep email communication for 12 months, unless statutory retention periods apply. In this case, we keep the email communication for 6 or 10 years in accordance with the law. Your data will be deleted or (if we are obliged to retain them due to legal conditions or contractual agreements) blocked as soon as the purpose of the data transfer has been fulfilled or if you inform us of your wish to do so.
Processing operations with the consent of data subjects
Purpose and legal basis
Unless this section (“Processing operations with the consent of data subjects”) indicates otherwise, the processing operations are based solely on the consent of the data subjects. The relevant purpose is mentioned in the individual description of the processing. The legal basis is as follows in the following cases: a. for data subjects that are not employees of the controllers, point (a) of Article 6(1) GDPR. b. for employees of the controllers, Article 88 GDPR in conjunction with Sec. 26 (2) BDSG.
Duration of storage
(1) Personal data whose processing is described in this section are processed until the relevant consent has been withdrawn.
(2) Notwithstanding paragraph (1) above, the controller retains the data showing that consent has been granted for three years, with this period commencing on December 31 of the calendar year in which the consent is withdrawn. Notwithstanding the information above (processing operations with the consent of data subjects / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been granted. The legal basis is point (c) of Article 6(1) GDPR in conjunction with Article 7(1) GDPR by way of exception in these cases. This obligation ceases to apply three years after the consent is withdrawn, and in any event no later than the expiration of the limitation period.
Nature of consent (cookie consent tool)
Certain declarations of consent, particularly those that the controller obtains for the use of marketing and/or analysis cookies and the associated data processing, are obtained via what is known as a cookie consent tool. All data (IP address, consent status) are stored in this process. Notwithstanding the information above (processing operations with the consent of data subjects / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been granted. The legal basis is point (c) of Article 6(1) GDPR in conjunction with Article 7(1) GDPR by way of exception in these cases. This obligation ceases to apply three years after the consent is withdrawn, and in any event no later than the expiration of the limitation period.
Analytical tools
In brief: The controller uses cookies to analyze use behavior on and interaction with this website. After that, the controller analyzes and interprets this information to be able to design this website on an even more targeted basis.
Processing in detail: What are known as cookies are used to analyze user behavior by data subjects on this website. These are text files that are stored on the computer of data subjects and enable analysis of the use of the website. The information on use behavior is used to create reports on activity and interactions. This controller uses these data to be able to improve the use experience on the website on a regular basis. The controller can also use the statistics generated to improve what it offers in order to steer the interest of data subjects on a more targeted basis toward products and services that are suitable for them.
Data that are processed: Cookie-based data regarding the interactions (especially sequence of interactions, duration of stay).
Third-party provider: The analytical tool Google Analytics from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://support.google.com/analytics/answer/9306384?hl=de. The following is added on this point: The IP address is truncated (shortened) beforehand by the provider within Member States of the European Union or in other states that are signatories to the Agreement on the European Economic Area. Only in isolated cases is the full IP address transferred to a server of the provider in the United States and truncated there. The IP address transferred by the browser within the scope of the use of this tool is not combined with other data by the provider. The tool is also used for a cross-device analysis of visitor streams that is performed via a user ID. The data subjects can deactivate the cross-device analysis in their customer account under “My data” / “Personal data.” For information purposes, it is pointed out that this tool is used with the extension “_anonymizeIp().” As a result, IP addresses are truncated before they are processed further, which thus rules out the possibility of being associated with a specific person. Where the data collected regarding the data subjects do relate to a specific person, this association is thus ruled out immediately, and the personal data are thus erased right away. It does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.
Third-party provider: The central control tool Google Tag Manager from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://marketingplatform.google.com/intl/de/about/tag-manager/. The following is added on this point: This tool allows the controller to incorporate various codes and services into this website in an organized and simplified way. In the process, this tool implements the tags or triggers the tags incorporated with it. When a tag is triggered, the provider may also process personal data. In the process, it is not impossible that the provider may also transfer the data to a server in a third country. Nonetheless, it does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.
Social media and networks (including means of marketing)
In brief: The controller uses social media and social networks, including for marketing and acquisition purposes. This gives the controller detailed information on the visitors to its websites and how data subjects interact with social media and networks. The controller also uses these media and networks on a targeted basis to reach out to and identify potential customers for marketing purposes.
Processing in detail: The controller uses social media and social networks. The controller has no influence over the data collected or the data processing operations, nor is it fully aware of the full scope of the data collection, the purposes of processing, the storage periods, or the circumstances surrounding the erasure of personal data. If and when data subjects visit the controller’s corporate and product pages on social media or ads, it is possible that the providers of the social media and networks may store the data collected regarding them as use profiles and use these profiles for purposes of advertising, market research, and/or demand-driven design of their websites. Data subjects have a right to object to the formation of these user profiles, but must contact the relevant provider to exercise this right. To the extent that this controller is able to influence the nature and scope of the associated processing of personal data, the purpose thereof consists in presenting the controller, analyzing the use behavior of data subjects in relation to the interaction with the corporate and/or product page maintained there, and communicating with the data subjects via this social network (possibly in advertising-related terms).
Status of controller: If and insofar as the controller analyzes user interactions with its corporate page, both the controller and the relevant provider of the social network or medium share the status of controller in this regard for purposes of data protection and privacy law, in accordance with Article 26 GDPR. In all other cases, the relevant provider of the social network or medium is engaged in accordance with Article 28 GDPR.
Data that are processed: Cookie or pixel-based data concerning the interactions with the website and the controller’s corporate and/or product pages, possibly the email address, name, and communication data.
Supplementary information on the legal basis: In addition to the general remarks made concerning the legal basis (processing operations with the consent of data subjects / purpose and legal basis), the following should be noted: If data subjects themselves maintain a profile with the relevant social network or medium, the legal basis is also the consent within the meaning of point (a) of Article 6(1) GDPR that they have granted to the provider of the relevant social network.
Third-party provider: The social network Facebook from Meta Platforms Ireland Limited (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, Meta Platforms Inc. (USA), or that this company may be involved. To the extent that the controller and the provider of the social network or medium presented here share the status of controller, the agreement can be consulted here: https://www.facebook.com/legal/terms/page_controller_addendum. This text contains full information on the scope and division of tasks. In all other cases, the provider of the social network or medium has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://www.facebook.com/business/gdpr. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.
Third-party provider: The social network Instagram from Meta Platforms Ireland Limited (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, Meta Platforms Inc. (USA), or that this company may be involved. To the extent that the controller and the provider of the social network or medium presented here share the status of controller, the agreement can be consulted here: https://www.facebook.com/legal/terms/page_controller_addendum. This text contains full information on the scope and division of tasks. In all other cases, the provider of the social network or medium has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://help.instagram.com/519522125107875. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.
Third-party provider: The social network LinkedIn from LinkedIn Ireland Unlimited Company (Ireland, EU) is used. However, it is not impossible that data may be transferred to the parent company, LinkedIn Corporation (USA), or that this company may be involved. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv. The fact that it is not impossible that data may be transferred to the U.S.-based parent company or that this company may be involved does not conflict with the use of this third-party provider. This is because the processing of the personal data via this tool takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). This takes place toward the controller located in this country to the extent that this controller controls the data processing. In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Where the provider of the social network or medium presented here controls the processing (for example if the data subjects visit the social network irrespective of any action on this website), there is already no transfer by the controller to the United States, with the result that the controller located in this country is also not required to present any further safeguard within the meaning of Articles 44 et seqq. GDPR. In these cases, there is, at most, a relationship within the meaning of Article 26 GDPR between the controller located in this country and the provider of the social network.
Useful information via email
In brief: Data subjects can order email content on this website. To this end, the contact details required for this are collected and used to deliver the content.
Processing and third-party providers in detail: The controller may process the data of data subjects in order to send them useful marketing information via email. This relates to an electronic circular published at regular and/or irregular intervals. At the start, the subjects provide the controller with those data that the controller requests in order to sign up. After the double opt-in procedure is carried out, the controller uses these data to conduct marketing outreach to data subjects via these emails.
Data that are processed: The controller processes the data that data subjects voluntarily disclose to the controller for this purpose (typically email and name), along with the data that the controller needs in order to demonstrate that consent has been granted (opt-in status data) and, where applicable, data concerning withdrawal of consent.
Additional information concerning consent as a legal basis: To obtain consent, the controller uses what is known as the “double opt-in” procedure. This means that after data subjects sign up, the controller sends them an email at the email address provided, asking them to confirm their consent. If they do not confirm that they have signed up within 30 days, their information is blocked and then automatically erased after one month. Beyond that, the controller stores the IP addresses they have used in each case, along with the times of the sign-up and confirmation. The purpose of this procedure is to prove that they have signed up and be able to investigate any possible misuse of their personal data. The legal basis of this processing is point (c) of Article 6(1) GDPR. According to this provision, this controller is permitted to process the data of data subjects if this is necessary to fulfill a legal obligation to which the controller is subject. The legal obligation follows from Article 7(1) or 5(1) GDPR. According to these provisions, this controller is legally obligated to document obtaining consent. This is possible only if the controller collects the data of data subjects for this for evidentiary purposes.
Processing operations with a legitimate interest
Purpose and legal basis
Unless otherwise indicated in this section (“Processing operations with a legitimate interest”), the processing operations are based solely on a legitimate interest on the part of the controller or a third party. The relevant purpose is mentioned in the individual description of the processing. In these cases, the legal basis is point (f) of Article 6(1) GDPR.
Duration of storage
Personal data whose processing is described in this section are processed until the legitimate interest no longer exists or the data subjects have legitimately objected thereto, whichever comes first.
Marketing outreach to other parties to contracts and agreements
In brief: Where the data subjects enter into a contract or agreement with the controller, whether paid or unpaid, the controller will provide the data subjects with useful information via email. The data subjects can object to this at any time. This can be done, for example, by sending a message to the controller, with no particular form required.
Processing and third-party providers in detail: The controller processes the email address and name of data subjects in order to send them useful information via email at regular or irregular intervals. Moreover, the controller stores the information that a contractual relationship exists or has existed between the data subjects and the controller in order to be able to demonstrate its legitimate interest. The legitimate interest here follows from the circumstance that there is a contractual relationship between the data subjects and the controller within the context of which data subjects typically expect to receive marketing outreach by email. This is supported by recital 47, seventh sentence.
Data that are processed: (1) Email address.
Special note on the right to object: Data subjects can object to the use of their data for this purpose at any time. This can be done, for example, by sending a message to the controller, with no particular form required (to obtain contact channels, data subjects can consult the beginning of this statement and the legal notice). In particular, data subjects can object without any costs other than the costs of transmission at basic rates arising for this purpose.
Informational use of the website
In brief: If and when data subjects merely visit this website without interacting with it, this controller processes their data to the extent that so doing is necessary in technical terms in order to display the website.
Processing in detail: If data subjects use this website purely for informational purposes, meaning if and when they neither register as users nor transfer information otherwise, the controller collects some data from the data subjects to the extent that so doing is necessary in technical terms in order to display the website.
Data that are processed: IP address, date and time of inquiry, time zone difference from Greenwich Mean Time (GMT), content of request (concrete page), access status/HTTP status code, volume of data transmitted in each case, website from which the request originates, browser, operating system and interface, language and version of the browser software.
Rights management and external legal advice, where applicable
In brief: If and when data subjects assert rights toward this controller (such as requests for access to information), the controller processes the communication data associated with this in order to handle this in the interest of data subjects and to be able to defend itself, where applicable, against civil-law claims and accusations that carry fines or criminal penalties.
Processing in detail: If and when the data subjects assert claims of any kind against this controller, the data are processed as follows:
(1) The controller receives the request and stores all data associated with it.
(2) The controller uses these data to review the matter. The controller utilizes external legal advice where necessary.
(3) If the request is justified, the controller uses the data to accommodate it. Otherwise, the controller uses the data to provide information to data subjects.
(4) The controller retains the data that exist in the case of processing pursuant to sections 1 through 3 for three years, commencing on December 31 of the calendar year in which step 3 has taken place.
The legitimate interest in the case of sections 1 through 3 above follows from the interest of data subjects in their claims being processed and the controller’s interest in avoiding claims and sanctions. The legitimate interest in the case of section 4 above follows from the controller’s need to be able to defend itself later on against civil-law claims and accusations that carry fines or criminal penalties. This interest in storage pursuant to section 4 terminates when the limitation period pursuant to Sec. 193 and/or 195 of the German Civil Code (BGB) ceases to apply.
Data that are processed: Name, contact details, and communication content.
Additional information concerning the legal basis: Processing pursuant to sections 1 through 3 is, additionally, also justified by point (c) of Article 6(1) GDPR, as the controller is obligated to review data subjects’ requests.
External Web hosting
Third Party Provider: we use the service provider Framer to enhance your experience while using our services. Framer provides us with valuable tools and functionalities to create, design, and optimize our offerings. Framer may collect and process data on our behalf as described in their Privacy Policy.
For more information about how Framer collects, uses, and protects your personal information, please review their Privacy Statement at the following link: https://www.framer.com/legal/privacy-statement/
In brief: The storage space required for this website is provided by an external provider. This means that all data of data subjects that are required in order to visit the website are also transferred to this provider.
Processing in detail: To publish this website, the controller has commissioned third-party providers to provide storage space and to deliver the site. In order for these service providers to be able to fulfill their tasks, they necessarily receive some data concerning the data subjects. The legitimate interest follows from the claim to being able to maintain a public presence.
Data that are processed: IP address, date and time of inquiry, time zone difference from Greenwich Mean Time (GMT), content of request (concrete page), access status/HTTP status code, volume of data transmitted in each case, website from which the request originates, browser, operating system and interface, language and version of the browser software, and where applicable also communication and interaction data arising from the behavior of data subjects.
Third-party provider: What is known as a content delivery network (CDN) is also used. The controller can achieve additional performance with a CDN. The content is duplicated at multiple data centers and thus distributed all over the world. This means that even users who are at a great geographic distance from the actual Web hosting provider can achieve fast loading times. The CDN Cloudflare from Cloudflare, Inc. (USA), is used for this. The fact that the provider is based outside the EU does not conflict with the engagement of this third-party provider. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses.
In addition, you have the right to complain to a supervisory authority. You can find out which supervisory authority is responsible for you on the website of the Federal Commissioner for Data Protection and Freedom of Information under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html_Links/anschriften_links-node.html