diff --git a/privacy.md b/privacy.md index a17c2d0..2667a8f 100644 --- a/privacy.md +++ b/privacy.md @@ -3,293 +3,296 @@ layout: page title: Privacy notice --- -## Privacy Policy - -DLR takes the protection of personal data very seriously. We want you to know -when we store data, which types of data are stored and how it is used. As an -incorporated entity under German civil law, we are subject to the provisions -of the EU General Data Protection Regulation (GDPR) (refer to -[https://gdpr-info.eu/](https://gdpr-info.eu/)), the Federal Data Protection -Act (BDSG) and the Telemedia Act (TMG). We have taken technical and -organisational measures to ensure our compliance and the compliance of -external service providers with the data protection regulation. - -This website uses SSL - that is, TLS encryption - in order to protect the -transfer of personal data and other confidential information (for example, -orders or enquiries sent to the controller). A connection is encrypted if you -see the character sequence 'https://' and the padlock icon in your browser's -address bar. +## Information on data protection -## I. Name and address of the controller - -The controller in the meaning of the General Data Protection Regulation, -other national data protection laws in the Member States and related data -protection regulations is: - -Deutsches Zentrum für Luft- und Raumfahrt e. V. (DLR) \ -Linder Höhe \ -51147 Cologne - -phone: +49 2203 601-0 \ -email: datenschutz [at] dlr.de \ -[http://www.dlr.de/](http://www.dlr.de/) - -The controller's appointed data protection officer is: - -Der/die Datenschutzbeauftragte, Deutsches Zentrum für Luft- und Raumfahrt e. V., -Linder Höhe, 51147 Cologne \ -Email: datenschutz [at] dlr.de - -## II. General information on data processing - -We process personal data concerning our users exclusively to the extent -required to provide a functioning website, as well as our content and -services. Ordinarily, we will only process the personal data of our users -after obtaining their consent. An exception to this rule is where obtaining -prior consent is factually impossible and the processing of the data is -permitted by law. - -The personal data of the data subject will be deleted or blocked as soon -as the purpose of storage no longer applies. In addition, storage takes -place if authorised by Union or Member State directives, laws or other -regulations to which the controller is subject. Blocking or deletion of -the data shall also take place when a storage period stipulated by one of -the above standards comes to an end, except where it is necessary to -continue storing the data to enter into or perform a contract. - -## II.1 Provision of the website and log files - -### a) Description and scope of data processing - -Our system automatically collects data and information from the accessing -computer system each time our website is visited. - -The following data is collected in this context: - -1. Source IP address of accessing system -2. Date and time -3. Browser version and operating system of accessing system -4. Web address from which the accessing system arrives on our website (referrer URL) -5. Requested web address of our server - -Furthermore other similar data and information that is used to protect against -risks in the case of attacks on our Information Technology systems. - -The data is also stored in log files kept on our system. This data is not -stored together with other personal data concerning the user. - -### b) Legal grounds for data processing - -The legal grounds for temporary storage of the data and log files are set -out in Art. 6, paragraph 1, part (f) of the EU General Data Protection Regulation -(GDPR). - -### c) Purpose of data processing - -Temporary storage of the IP address by our system is necessary to deliver -the website to the computer of the user. For this purpose, the source IP -address of the request must be stored for the duration of the session. - -Storage in log files takes place to ensure functionality of the website. -In addition, the data is used to optimise the website and to ensure security -of our Information Technology systems. Data analysis for marketing purposes -does not take place in this context. - -### d) Duration of storage - -The data is deleted as soon as it is no longer needed for the purpose for -which it was collected. In the case of data collection for the provision -of this website, this applies at the end of each session. - -In the case of data stored in log files, this occurs after no longer than -seven days. Further storage is possible; in these cases, the IP addresses -are deleted or pseudonymised to prevent any association with the accessing -client or user. - -### e) Right to objection and removal - -The collection of data for the provision of our website and the storage -of data in log files is crucial to operation of the website. Hence, users -are not granted a right to object. - -## II.2 Contact form and email contact - -### a) Description and scope of data processing - -A few of our web pages provides contact forms. The data entered in the -input screen will be transferred to us and stored. This applies to the -following data: - -* First name -* Family name -* Email address - -The following data is stored additionally when sending a message: - -* IP address of the user -* Date and time of submission - -Your consent for data processing will be obtained, and you will be referred -to this Privacy Notice during the sending process. - -Alternatively, it is possible to contact us using the email address provided. -The personal data of the user transferred with the email will be stored in -this case. - -The data is not transferred to third parties in this context. The data is -used exclusively for processing the correspondence. - -### b) Legal basis for data processing - -The legal basis for processing of the data in the event that consent has -been received from the user is set out in Art. 6, paragraph 1, part (a) -of the EU General Data Protection Regulation (GDPR). - -The legal basis for processing of the data sent to us by email is set -out in Art. 6, paragraph 1, part (f) of the GDPR. Where email contact is -established with the intention of entering into a contract, additional -legal bases for the processing are set out in Art. 6, paragraph 1, part -(b) of the GDPR. +The German Aerospace Centre (Deutsches Zentrum für Luft- und Raumfahrt e.V. - DLR) +takes the protection of your personal data very seriously. In accordance with the EU +General Data Protection Regulation (GDPR), which came into force on 25 May 2018, +this data protection notice informs you about the processing of your personal data +by DLR and the rights to which you are entitled. This information will be updated +as necessary and made available to you. We have taken technical and organisational +measures to ensure that the data protection regulations are observed both by us and +by external service providers. -### c) Purpose of data processing +## SSL or TLS encryption -We use the personal data you provide in the contact form exclusively -to process your enquiry. In the case of contact by email, this represents -our necessary, legitimate interest in data processing. +This website uses SSL or TLS encryption for security reasons and to protect the +transmission of personal data and other confidential content (e.g. orders or enquiries +to the controller). You can recognise an encrypted connection by the character string +"https://" and the lock symbol in your browser line. -Any other personal data that is processed when you send us the contact -form is used to prevent abuse of the contact form and to protect the -security of our Information Technology systems. +If SSL or TLS encryption is activated, the data you transmit to us cannot be read by +third parties. -### d) Duration of storage - -The data is deleted as soon as it is no longer needed for the purpose -for which it was collected. For personal data entered in the input -screen of the contact form and personal data sent to us by email, -this is the case when correspondence with the user has come to an end. -A conversation has come to an end when the circumstances indicate -that the relevant matter has been dealt with definitively. - -Any additional personal data collected during the sending process -will be deleted after a maximum of seven days. - -### e) Right to objection and removal - -The user is entitled to revoke their consent to the processing of -personal data at any time. The user may object to the processing of -personal data at any time by contacting datenschutz [at] dlr.de. -Correspondence will be discontinued in these cases. - -All personal data stored in connection with contacting us will -be deleted in this case. - -## II.3 Registration to events - -### a) Description and scope of data processing - -Some web pages of this web server provides registration forms for -events. Beside the provided form field content (name, email address, ...) -date and time are saved. - -### b) Legal grounds for data processing - -The legal basis for processing of the data is set out in Art. 6, -paragraph 1, part (a), (b) and (f) of the EU General Data Protection -Regulation (GDPR). - -### c) Purpose of data processing - -The data is used for the realisation of the event, eg. room planning, -ordering of meals, reservations for excursions, participants list. - -The registration data are made available to the event organisation -committee. The members of the committee are listed on the event web -pages and have often international provenance. - -The registration data can be used afterwards to inform about -succeeding events or scientific events with similar topics. - -Your consent for possible data uses will be obtained at registration -and is optional. - -### d) Duration of storage - -Deletion of registration data happen after 3-5 years after the event. - -### e) Right to objection and removal - -Over the given contact address of the organiser of the event, -data can be corrected or requested to be removed. - -## II.4 Use of cookies - -### a) Description and scope of data processing - -Only a few parts of our website uses cookies. Cookies are text -files placed on the user's computer system by a browser and stored there. - -We use technically necessary cookies to improve our website's user -friendliness. Some elements on our website make it necessary to -recognise the accessing browser when moving from page to page -(eg. for login). - -### b) Legal basis for data processing - -The legal grounds for the processing of personal data using -technically necessary cookies are set out in Art. 6, paragraph 1, -part (f) of the EU General Data Protection Regulation (GDPR). - -### c) Purpose of data processing - -Technically necessary cookies are used to make our website -user friendly. Some functions on our website cannot be provided -without the use of cookies, as they require that the browser is -recognised when moving from page to page. - -The user data collected with technically necessary cookies is -not used to produce user profiles. - -### d) Duration of storage - -Cookies have an expire date an are removed after expiration -by the internet browser. technically necessary cookies are -implemented as session cookies, which are removed when closing -the browser. - -### e) Right to objection and removal - -You can change the settings of your Internet browser to -disable or restrict the transfer of cookies at any time. -Cookies that have already been placed on your computer can -be deleted at any time. - -## II.5 Embedded content from other websites -Pages on this site may include embedded content (e.g. videos, images, articles, etc.). -Embedded content from other websites behaves in the exact same way as if the visitor -has visited the other website. - -These websites may collect data about you, use cookies, embed additional third-party -tracking, and monitor your interaction with that embedded content, including tracking -your interaction with the embedded content if you have an account and are logged in -to that website. - -## III. Rights of the data subject - -Where personal data concerning you is processed, you are -the data subject as defined in the EU General Data Protection -Regulation (GDPR) and you have the following rights with respect -to the controller: +## I. Name and address of the controller -* Right to information -* Right to correction -* Right to limit processing -* Right to deletion -* Right to notification -* Right to data portability -* Right to object -* Right to withdraw consent pursuant to Art. 7, paragraph 3 of the GDPR -* Right to lodge a complaint with a supervisory authority +The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the: -This rights are independent from the services of this web server. -Please see details at [https://www.dlr.de/Privacy](https://www.dlr.de/Privacy), -Section "Rights of the data subject". +German Aerospace Centre (DLR) \ +Linder Höhe \ +51147 Cologne \ +Phone: +49 2203 601-0 \ +E-mail: datenschutz [at] dlr.de \ +WWW: [https://www.dlr.de](https://www.dlr.de) + +## II. Name and address of the data protection officer + +You can reach the data protection officer of the controller at + +German Aerospace Centre, Linder Höhe, 51147 Cologne \ +E-mail: datenschutz [at] dlr.de + +## III. Definitions of terms + +In accordance with the General Data Protection Regulation and the Federal Data Protection Act, +we use the following terms, among others, in this privacy policy: + +### 1. Personal data +Personal data is any information relating to an identified or identifiable natural person +(hereinafter "data subject"). An identifiable natural person is one who can be identified, +directly or indirectly, in particular by reference to an identifier such as a name, an +identification number, location data, an online identifier or to one or more factors specific +to the physical, physiological, genetic, mental, economic, cultural or social identity of +that natural person. + +### 2. Data subject +Data subject is any identified or identifiable natural person whose personal data is processed +by the controller. + +### 3. Processing +Processing means any operation or set of operations which is performed on personal data or +on sets of personal data, whether or not by automated means, such as collection, recording, +organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, +disclosure by transmission, dissemination or otherwise making available, alignment or +combination, restriction, erasure or destruction. + +### 4. Restriction of processing +Restriction of processing is the marking of stored personal data with the aim of limiting +its future processing. + +### 5. Profiling +Profiling means any form of automated processing of personal data consisting of the use of +personal data to evaluate certain personal aspects relating to a natural person, in particular +to analyse or predict aspects concerning that natural person's performance at work, economic +situation, health, personal preferences, interests, reliability, behaviour, location or movements. + +### 6. Pseudonymisation +Pseudonymisation is the processing of personal data in such a manner that the personal data +can no longer be attributed to a specific data subject without the use of additional information, +provided that such additional information is kept separately and is subject to technical and +organisational measures to ensure that the personal data are not attributed to an identified +or identifiable natural person. + +### 7. Controller or controller responsible for the processing +The controller or controller responsible for the processing is the natural or legal person, +public authority, agency or other body which, alone or jointly with others, determines the +purposes and means of the processing of personal data. Where the purposes and means of such +processing are determined by Union or Member State law, the controller or the specific criteria +for its nomination may be provided for by Union or Member State law. + +### 8. Processor +Processor is a natural or legal person, public authority, agency or other body which processes +personal data on behalf of the controller. + +### 9. Recipient +Recipient is a natural or legal person, public authority, agency or another body, to which the +personal data are disclosed, whether a third party or not. However, public authorities which +may receive personal data in the framework of a particular enquiry in accordance with Union or +Member State law shall not be regarded as recipients. + +### 10. Third party +A third party is a natural or legal person, public authority, agency or body other than the data +subject, the controller, the processor and the persons who, under the direct authority of the +controller or processor, are authorised to process the personal data. + +### 11. Consent +Consent is any freely given, specific, informed and unambiguous indication of the data subject's +wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement +to the processing of personal data relating to him or her. + +## IV. General information on data processing + +### 1. Scope of the processing of personal data +We only process our users' personal data to the extent necessary to provide a functional +website and our content and services. The processing of our users' personal data only takes +place regularly with the user's consent. An exception applies in cases where prior consent +cannot be obtained for factual reasons and the processing of the data is permitted by law. + +### 2. Legal basis for the processing of personal data +If you have consented to data processing, we process your personal data on the basis of +Art. 6 para. 1 sentence 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, insofar as special +categories of data are processed in accordance with Art. 9 para. 1 GDPR. In the event of +express consent to the transfer of personal data to third countries, data processing is +also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the +storage of cookies or access to information in your end device (e.g. via device fingerprinting), +the data processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR and additionally +on the basis of § 25 para. 1 TDDDG. Consent can be revoked at any time. If your data is required +for the fulfilment of a contract or for the implementation of pre-contractual measures, we process +your data on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR. Furthermore, we process your data +if it is necessary for the fulfilment of a legal obligation on the basis of Art. 6 para. 1 sentence +1 lit. c GDPR. Data processing may also be carried out on the basis of our legitimate interest in +accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Information on the relevant legal bases in +each individual case is provided in the following paragraphs of this privacy policy. + +### 3. Data erasure and storage duration +The personal data of the data subject will be erased or blocked as soon as the purpose of the +processing no longer applies. Data may also be stored if this has been provided for by the European +or national legislator in EU regulations, laws or other provisions to which the controller is subject. +The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards +expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a +contract. + +### 4. Revocation of your consent to data processing +Many data processing operations are only possible with your express consent. You can withdraw your +consent at any time with effect for the future. The legality of the data processing carried out until +the revocation remains unaffected by the revocation. + +## V. Processing operations + +### 1. Provision of the website and external hosting +This website is hosted externally. The personal data collected on this website is stored on the +servers of the hoster(s). This may include IP addresses, contact requests, meta and communication +data, contract data, contact details, names, website accesses and other data generated via a website. + +External hosting is carried out for the purpose of fulfilling the contract with our potential and +existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient +provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR). If a +corresponding consent has been requested, the processing is carried out exclusively on the basis of +Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of +cookies or access to information in the user's end device (e.g. device fingerprinting) within the +meaning of the TDDDG. Consent can be revoked at any time. + +Our hoster(s) will only process your data to the extent that this is necessary for the fulfilment of its +fulfil its performance obligations and follow our instructions with regard to this data. + +We use the following hoster(s): + +GitHub B.V. Prins Bernhardplein 200, Amsterdam 1097JB The Netherlands \ +GitHub, Inc. 88 Colin P. Kelly Jr. St. San Francisco, CA 94107 United States \ +GitHub Data Protection Officer at dpo [at] github.com + +Order processing + +We have concluded a data processing agreement (DPA) with the above-mentioned provider. +This is a contract prescribed by data protection law, which ensures that the provider only +processes the personal data of our website visitors in accordance with our instructions +and in compliance with the GDPR. + +### 2. Server log files +The provider of this website and its pages automatically collects and stores information +in so-called server log files, which your browser communicates to us automatically. The +information comprises: + +* The type and version of browser used +* The used operating system +* Referrer URL +* The hostname of the accessing computer +* The time of the server inquiry +* The IP address + +This data is not merged with other data sources. + +This data is recorded on the basis of Art. 6(1)(f) GDPR. The operator of the website has a +legitimate interest in the technically error free depiction and the optimization of the +operator’s website. In order to achieve this, server log files must be recorded. + +The collection of data for the provision of our website and the storage of data in log files +is crucial to operation of the website. Hence, users are not granted a right to object. + +### 3. Contact +#### Request by e-mail, telephone, or fax + +If you contact us by e-mail, telephone or fax, your request, including all resulting personal +data (name, request) will be stored and processed by us for the purpose of processing your request. +We do not pass these data on without your consent. + +These data are processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the +fulfillment of a contract or is required for the performance of pre-contractual measures. In +all other cases, the data are processed on the basis of our legitimate interest in the effective +handling of inquiries submitted to us (Art. 6(1)(f) GDPR) or on the basis of your consent +(Art. 6(1)(a) GDPR) if it has been obtained; the consent can be revoked at any time. + +The data sent by you to us via contact requests remain with us until you request us to delete, +revoke your consent to the storage or the purpose for the data storage lapses (e.g. after +completion of your request). Mandatory statutory provisions - in particular statutory retention +periods - remain unaffected. + +## VI. YouTube with extended data protection + +This website integrates videos from the YouTube website. The operator of the website is Google +Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. + +When you visit one of these websites on which YouTube is integrated, a connection to the YouTube +servers is established. This tells the YouTube server which of our pages you have visited. If you +are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly +to your personal profile. You can prevent this by logging out of your YouTube account. + +We use YouTube in extended data protection mode. According to YouTube, videos that are played in +extended data protection mode are not used to personalize browsing on YouTube. Ads that are played +in extended data protection mode are also not personalized. No cookies are set in extended data +protection mode. Instead, so-called local storage elements are stored in the user's browser, which +contain personal data similar to cookies and can be used for recognition. Details on the extended +data protection mode can be found here: +[https://support.google.com/youtube/answer/171780](https://support.google.com/youtube/answer/171780). + +After activating a YouTube video, further data processing operations may be triggered over which we have no influence. + +The use of YouTube is based on our interest in presenting our online content in an appealing manner. +Pursuant to Art. 6(1)(f) GDPR, this is a legitimate interest. If appropriate consent has been obtained, +the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, +insofar the consent includes the storage of cookies or the access to information in the user’s end +device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time. +For more information on how YouTube handles user data, please consult the YouTube Data Privacy Policy under: +[https://policies.google.com/privacy?hl=en](https://policies.google.com/privacy?hl=en). + +The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an +agreement between the European Union and the US, which is intended to ensure compliance with European +data protection standards for data processing in the US. Every company certified under the DPF is +obliged to comply with these data protection standards. For more information, please contact the +provider under the following link: +[https://www.dataprivacyframework.gov/participant/5780](https://www.dataprivacyframework.gov/participant/5780). + +## VII. Rights of the data subject + +If your personal data is processed, you are a data subject within the meaning of the GDPR and you +have the following rights vis-à-vis the controller in accordance with the provisions set out below: + +1. in accordance with Art. 15 GDPR, you can request information about the personal data processed by us. + In particular, you can request information about the purposes of processing, the category of personal data, + the categories of recipients to whom your personal data has been or will be disclosed, the planned storage + period and the existence of the rights explained in this section 4 and 6. + +2. in accordance with Art. 16 GDPR, you can request the immediate correction of incorrect or incomplete + personal data stored by us. + +3. in accordance with Art. 17 GDPR, you may request the deletion of your personal data stored by us, + unless the processing is necessary for reasons specified by law, in particular to exercise the right + to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest + or for the assertion, exercise or even potential defence of legal claims. + +4. in accordance with Art. 18 GDPR, you may request the restriction of the processing of your personal data + if you dispute its accuracy, if the processing is unlawful but you refuse to delete it and we no longer + need the personal data, but you need it for the assertion, exercise or defence of legal claims or if you + have lodged an objection to the processing in accordance with Art. 21 GDPR. + +5. in accordance with Art. 20 GDPR, you may receive your personal data that you have provided to us in a + structured, commonly used and machine-readable format or request that it be transferred to another controller + +6. in accordance with Art. 7 para. 3 GDPR, you can revoke any consent you have given us under data protection + law at any time. As a result, we may no longer continue the data processing that was based on this consent + in the future. + +7. **Right to object pursuant to Art. 21 GDPR** + + **If personal data is processed on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR, + you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, + provided that there are reasons for this arising from your particular situation or the objection is directed + against direct advertising. In the latter case, you have a general right to object, which will be implemented + by us without specifying a particular situation, unless the processing is necessary for the performance of a + task carried out in the public interest, Art. 21 para. 6 of the GDPR.** + +9. In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. + As a rule, the supervisory authority of your usual place of residence or workplace or the registered + office of the controller is available for this purpose. + +To exercise these rights, please contact the office specified in Section I. or II.