Data Protection Policy

(as of March 2022)

 

With this Data Protection Policy, we would like to inform you about the collection of personal data and the accessing of information on your end device when using our website and the linked services. The information takes into consideration the statutory requirements, particularly the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TTDSG).

    1. General information

      1. Processing of personal data

        Personal data within the meaning of Article 4 of the GDPR means any information relating to an identified or identifiable natural person, such as name, address, email address, user behaviour, etc.

      2. Controller, data protection office

        The controller responsible for the processing of personal data within the meaning of Article 4(7) GDPR is:

        ars serendi GmbH
        Herrenberger Straße 14
        71032 Böblingen
        Germany

        Tel.: +49 (0) 7031 / 7212200
        E-Mail: info@ars-serendi.de

        Website: https://www.ars-serendi.de

        If you have any concerns relating to data protection law, please contact info@ars-serendi.de using the keyword “data protection”.

        Certain processing operations may be carried out under the responsibility of other companies. Where this is the case, this will be indicated under the respective descriptions of the processing.

      3. Rights of the data subject

        As data subject, you have the following rights in accordance with statutory provisions with respect to the personal data concerning you:

        • Right to obtain information,
        • Right to rectification or erasure,
        • Right to restriction of processing,
        • Right to data portability

        You also have the right to lodge a complaint with a data protection supervisory authority concerning our processing of your personal data.

        When handling your rights, it may be possible that we will ask you for proof of identity. You can find further information about how we process your personal data in this regard under Section C.1.

      4. Security measures

        In accordance with statutory requirements, we take appropriate technical and organisational security measures in order to ensure a level of protection suitable to the risk of data processing.

        In order ensure the best possible security, data are always transmitted to us in encrypted form. You can tell if the connection is encrypted by the indication https:// in the address bar of your browser.

      5. Disclosure of personal data

        Unless expressly declared in this section or in the following in connection with the description of the individual processing operations, your personal data will not be disclosed to third parties or other recipients.

        We use the services of outside service providers for hosting and for the operation of our website in technical terms and in terms of consent. Personal data collected on this website are stored on the host’s servers and can be viewed by our technical service provider. This may involve, in particular, IP addresses, contact enquiries, meta and communication data, contract data, contact data, names, website accesses and other data that are generated through the website. Outside services providers are used in the interest of secure, fast and efficient provision of our website by a professional provider. The outside service providers will process your data only to the extent necessary for fulfilling their service obligations and will follow our instructions with respect to the data processed for these purposes. We have concluded a processing contract in line with Article 28 GDPR with each of the utilised service providers.
        In the case of a statutory obligation, we reserve the ability to disclose information about you if surrender is demanded from us by lawfully acting authorities or criminal prosecution bodies. The legal basis is Article 6(1)(c) GDPR (statutory obligation).

      6. Erasure of data

        The data processed by us will be erased in accordance with statutory requirements once the consents permitting the processing are withdrawn or other permits no longer apply (e.g. if the purpose for the processing of these personal data no longer apply or they are not necessary for the purpose).
        Where the personal data are not erased because they are necessary for other purposes allowed by statute, their processing will be limited to those purposes. In other word, the personal data will be blocked for the purposes that no longer apply and will not be processed any further for those purposes. That applies, e.g., to personal data that are required to be retained for reasons of commercial or tax law or storage is necessary for the establishment, exercise or defence of legal claims or to protect the rights of another natural person or legal entity.

        In connection with our Data Protection Policy, we moreover inform you about the erasure and storage of personal data that apply specially for the respective processing operations.

      7. Amendments to the Data Protection Policy

        We reserve the ability to modify this Data Protection Policy in the event of any change in the legal system, the website or data processing. However, this applies only with respect to declarations concerning data processing. If consents by you are necessary, or if parts of this Data Protection Policy contain arrangements that apply to the contractual relationship with you, the amendments are made only with your approval.

        You may acquaint yourself with any amendments on a regular basis in this Data Protection Policy.

    2. Collection and processing of data when visiting our website

      1. Automated data collection and processing by the browser

        Processing/purpose

        In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we collect the personal data that your browser transmits to our servers and that are technically necessary for displaying our website and ensuring stability and security. These data are stored temporarily in log files. The following information, which is technically necessary for us, is collected and stored in this regard until automated deletion:

        • Name of the accessed website or file
        • Data and time of access
        • Description of the type of web browser used
        • IP address

        A person-related analysis of the server log files does not take place. We cannot attribute these data to a specific person at any time. These data are not combined with other data sources.

        Legal basis

        Article 6(1)(f) GDPR (legitimate interest), section 25 (1) TTDSG.

        Our legitimate interest consists of ensuring the delivery of the website, as well as combating misuse and eliminating malfunctioning.

        Duration of storage

        The log files are deleted once that are no longer needed for the specified purposes, but at most after 30 days.

      2. Cookies

        Information/purposes

        In addition to the aforementioned data, cookies are employed when you use and visit our website. Cookies are small text files that are set by your browser on your end device for storing certain information. In addition to cookies that are used during a session and then deleted after the website visit (“session cookies”), cookies may also be used in order to store user settings and other information for a certain period of time (e.g. two years) (“permanent cookies”). While you are visiting the website, or when you next visit our website with the same end device, the information stored in the cookies will be sent back either to our website (“first-party cookie”) or to another website of a third-party provider to whom the cookie belongs (“third-party cookie”). As a result of the information that has been stored and sent back, the respective website can identify that you have already visited it with the browser of your end device.

        This website uses only technically necessary cookies.
        On our website, we employ necessary cookies that ensure technical features without which you cannot use our websites as envisaged or expected. These cookies collect and store only pseudonymised information, meaning that they cannot track your movements on other websites. These cookies are used exclusively by us and are therefore first-party cookies. This means that all information that is stored in the cookies is sent back to our website.

        The following necessary cookies are employed on our website:

        Cookie-Name Anbieter Zweck Speicherdauer
        PHPSESSID WordPress This cookie stores your current session with respect to PHP applications and in that way ensures that all features of the site that are based on the PHP programming language can be displayed in full. Session

        The use of necessary cookies on our website is possible without your consent. For this reason, necessary cookies also may not be individually activated or deactivated. However, you have the ability at any time to deactivate cookies generally in your browser.

        Recipients

        We transfer cookie information to outside service providers (e.g. hosting provider, support provider)

        Legal bases

        Article 6(1)(f) GDPR (legitimate interest), with section 25 (1) TTDSG.
        Our legitimate interest consists of ensuring the functionality of our website and the services embedded on it (necessary cookies).

        Duration of storage

        The mentioned cookies are stored during the current browser session and automatically deleted when the browser session ends.

        Deletion of cookies/objection

        You normally have the ability to adjust the settings in your browser in a way that prevents the storage of cookies on your end device. Cookies that have already been set may be deleted at any time in your browser settings. You can find instructions for this in the help function of your browser.

        Please be aware that the exclusion of cookies may result in limitations of the website’s features.

    3. Other functions on the website

      1. Making contact

        Purpose / information:

        B

        When communicating and/or collaborating with us – e.g. by email, via a contact form on our website, or via a data exchange platform – the data provided by you (your email address, possibly your name and phone number or the provided personal data within the communication) will be stored by us in order, e.g., to answer your questions or to perform the communication necessary for our business purposes.

        With respect to the processing of data that are generated in connection with the communication, we have a legitimate interest in processing the data in line with statutory requirements, for the purpose of internal review or in line with the respective communication concern.

        Recipients

        We transfer the collected data for processing to external service providers, processors (e.g. hosting providers, service providers) in accordance with the necessary purposes (for making contact, business-related communication and customer care).

        Erasure:

        We erase the data generated in this connection after the storage is no longer necessary in connection with the communication concern, unless there are statutory retention duties or prescription periods need to be observed.

        Legal basis:

        Article 6(1)(b) GDPR (in the case of processings in connection with a contract)

        Article 6(1)(f) GDPR (in the case of processings in accordance with the above-mentioned legitimate interest)

        Requirement to provide personal data

        The use of contact forms takes place on a voluntary basis and is prescribed neither by contract nor by statute. You are not obligated to contact us using the contact form but instead may also use the other contact options listed on our site. If you would like to use our contact form, then you must complete all fields marked as mandatory information. If you do not complete the required information in the contact form, either you cannot send the enquiry or we unfortunately cannot process your enquiry.

      2. Registration for online events

        Purpose/ information

        When you or third parties (e.g. employer) register for our events, the contact data and, where applicable, banking data provided by you will be processed in order to organise and conduct the respective event and, where applicable, to be able to issue participation certificates and invoices.

        Recipients

        We provide the data for processing to processors that have been engaged to organise or conduct an event, hosts, and other IT service providers, as well as outside administrators.

        Erasure:

        We erase the data generated in this connection after the storage is no longer necessary in connection with conducting the event, unless there are statutory retention duties or prescription periods need to be observed.

        Legal basis:

        Article 6(1)(b) GDPR (in the case of processings in connection with a contract)

        Requirement to provide personal data

        Your contact data and, where applicable, banking data are needed in order to be able to process your enquiry about participation in an online event. To this extent, you are obligated to provide your data. This obligation results from a contract or a pre-contractual obligation. Where you or a third party who is registering you does not provide the necessary registration data when registering, you cannot register for or be registered for an online event.
      3. Participation in online events

        Purpose/information

        In connection with participation in the online event, the following data will be collected and processed for the purpose of conducting the online event in technical terms and in terms of content:

        • Access data (e.g. a customised link for joining the online event)
        • Content data (e.g. in chats or in the case of votes or files released by you)
        • Profile data (data that you have voluntarily released about yourself in connection with the online event, e.g. your name or possibly your profile photo)
        • Meta data (e.g. IP address, date and time of joining the conference, and time of leaving)
        • Log files, protocol data

        During participation in the online event, the following information is visible to other participants who are not organisers: Your name, profile photo and your chat posts We do not record whether you participated attentively in the event (e.g. whether you had windows open during the event other than the one for the online event).

        We use Microsoft Teams to conduct online events. Through the videoconferencing feature of Microsoft Teams, we can offer you participation via video/audio in our online events. In this regard, we use the Team Meetings feature of Microsoft Teams and prevent audio and video recordings through our Microsoft Teams settings.

        As a rule, the event is not recorded. Images or audio recordings are made of you only if and to the extent you have separately consented to this (Article 6(1)(a) GDPR). The intended use as well as the consent to the recording are documented in the recording.

        Recipients

        To conduct the online event, we use the software Microsoft Teams as part of Microsoft Office 365 of the technical service provider Microsoft Ireland Operations Ltd. in One Microsoft Place, Dublin/Ireland (Microsoft).

        The data are stored in the Microsoft cloud, namely on servers in data centres in the European Union in Ireland and the Netherlands. For this purpose, we have concluded a processing agreement with Microsoft pursuant to Article 28 GDPR.

        In addition, we have implemented the feature “Customer Log Box” in Office 365. As a result, Microsoft has no ability whatsoever to access our data in Office 365.

        Microsoft may request access for the purpose of remote maintenance. This access will then be reviewed by us on a case-by-case basis and granted if approved. In this case, such access may also take place from outside the European Union by affiliated companies of Microsoft. We have concluded EU standard contracts (standard data protection clauses) with Microsoft solely for this case of access from outside the European Union in an individual case approved by us. In order to guarantee in this specific case an appropriate level of data protection in the case of the transfer of personal data to a third country, like the USA, we have agreed with Microsoft on extensive technical and organisational measures that are consistent with the state of the art in IT security, e.g. access credentials concepts and encryption concepts for data lines, data bases and servers.

        Microsoft reserves the ability to process customer data for its own legitimate business purposes. Where Microsoft processes personal data in connection with its own legitimate business operations, Microsoft is an independent controller within the meaning of the GDPR for these processings. You can find details about processing by Microsoft at https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.

        You can participate in an online event based on Microsoft Teams even without your own Microsoft use account. If you use your own Microsoft use account for participation, data may in addition be processed pursuant to the provisions of your Microsoft use account.

        Duration of storage:

        We erase the participation data after 90 days at the latest.

        Legal basis:

        Article 6(1)(b) GDPR (processing in connection with a contract)
    4. OBJECTION OR REVOCATION AGAINST THE PROCESSING OF YOUR DATA

      If you have granted consent to the processing of your personal data, you may withdraw it at any time. Such withdrawal affects the permissibility of the processing of your personal data after you have declared it to us. The lawfulness of the processing on the data on the basis of the consent up to your withdrawal is not affected by this.

      If we base the processing of your personal data on a weighing of interests, you can lodge an objection to the processing. Our legitimate interests are described by us in each case in connection with the description concerning the data processing. When exercising such an objection, we ask that you provide the reasons why we should not process your personal data as performed by us. In the case of your justified objection, we will review the matter and either discontinue or adjust data processing or notify you of our mandatory, protected reasons on the basis of which we will continue the processing.

      You may at any time object to the processing of your personal data for direct marketing purposes and profiling related thereto without providing reasons. Your personal data will then no longer be processed for these purposes.

      You can notify us of your withdrawal of consent or object using the contact data listed in No. A. 2. “Controller” or the technical features described in this Data Protection Policy.