1. General Information
1.1 Data controller and purview
The Heinrich-Böll-Stiftung e.V. publishes its websites in accordance with the applicable privacy legislation of the European Union and of Germany.
The following is an outline of how we are processing your data. Inasmuch as the subsequent paragraphs or other, separate privacy information do not state otherwise, the provisions stated in this very section titled General information will apply.
1.2 How to contact our data protection officer
1.3 Rights of persons affected and Regulatory authority
As a rule, you have the following rights:
- Right of access (Article 15 General Data Protection Regulation, GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
In order to exercise your rights you may contact us via mail <Link Impressum> or you may send an e-mail to email@example.com
We will review each individual request, and, should we conclude that the rights invoked do not apply, we will also give our reasons for such an assessment in writing.
We would also like to point out that, that we may require an additional proof of identity in order to minimize the risk of abuse of the rights.
You have the right to issue a formal complaint with the relevant supervisory authority in the state of Berlin. In addition to the named Berlin authorities, you may also contact the regulators in the federal state of Germany where you reside or work.
1.4 Data recipient
Data will only be transmitted to others according to rules set out in written agreements, in which all legal responsibilities are clearly laid out or, alternatively, according to the rules outlined in the following sections.
1.5 Changes to our data protection information
From time to time, this data protection information may be subject to changes and improvements, especially if changes in applicable law or our internal processes should necessitate this.
When using our websites, personal information is collected for the following purposes:
2.1 The transmission of online contents
2.2 The transmission of contents provided by third parties
2.3 The improvement of our web services
2.4 The security of our technical infrastructure
2.5 The transmission of postings (comments)
2.6 Anti-spam control
2.7 Database of the Green Memory Archive
2.8 Retention of data
2.1.1 Purpose and categories of data
In order for you to be able to view contents from our websites, your browser will transmit the following information (as part of an HTTP request):
- Your IP address (a numerical label that identifies your internet access point).
- Information about your device, for example the type of internet browser used, the rate of data transmission, or the size of your screen.
2.1.2 Legal basis
This data is processed based on our legitimate interest (Article 6.1 (f) GDPR) to display the content you requested in the best possible manner.
2.1.3 Retention of data
The data in question will not be retained after the requested content has been transferred.
2.1.4 Your rights
Rights of access, rectification, erasure and such are not applicable, as for the purpose of transmission, the data is only retained temporarily and will be deleted immediately after the end of the transaction.
2.2.1 Purpose and categories of data
Our websites are using, among others, the following services to embed third-party contents.
- Video via YouTube and Vimeo
- Sound via SoundCloud and Mixcloud
- News via Twitter
- Images via Flickr
- Open Street Map
Once you start using third-party services, their respective privacy policies apply.
Whenever third-party services are embedded in our websites – and unless we take technical measures to prevent that, you will be forwarded to the respective service provider who will thus be able to deduce that you have visited our website.
In addition to our own websites, we also provide contents via a number of social media outlets, which you may access by clicking on dedicated buttons on our websites or directly. When accessing such services, some of your personal data will be transferred to the respective social media service providers.
If you are logged into your personal social media accounts while visiting our websites, the respective social network will be able to track your visit to your account.
The social media share buttons, which we use on our website, will not automatically transfer data to the respective service providers. Only when clicking on such a button will you be forwarded to the respective social network, to share content with others.
2.2.2 Legal basis
The forwarding to third-party websites is based on our legitimate interest (Article 6.1 (f) GDPR), that is, in order to display the data you requested and related contents by third parties.
2.2.3 Retention of data
Data will be retained according to the privacy policies of the relevant third-party content providers (see above).
2.2.4 Your rights
Information about your rights are provided in the information privacy policies of the respective providers (see above).
2.3 The improvement of our web services
2.3.1 Purpose and categories of data
In order to optimise our online contents, we evaluate how users navigate our websites. For this, we analyse the following data, which is derived from HTTP requests:
- Part of your IP address (that is, the numerical label identifying your computer access point), which is being anonymised by deleting the final two parts (blocks of numbers) of the address.
- The web page you have requested.
- Information regarding the type of internet browser and operating system used.
- Possibly, the page visited before accessing our website (referer information).
2.3.2 Legal basis
The above-mentioned types of data processing are based on our legitimate interest (Article 6.1 (f) GDPR) to improve our web services.
2.3.3 Retention of data
All personalised data is anonymised immediately after it has been gathered.
2.3.4 Your rights
There is no legal right for the data in question to be rectified, deleted, or shared with the user, as the data retained is anonymised, thus, as a rule, making it impossible to connect specific data to individual users requesting such information.
We are also using Heatmap software to visualise usage of our website in anonymised form. If you would like to opt out of this, please click here.
For the opt-out process to work, a so-called opt-out cookie will be stored in your web browser. In case you should decide to delete all cookies stored in your browser, you will have to repeat the opt-out process.
We respect the “do not track” settings of your web browser. Once you activate these settings, we will not retain any of your data for web optimisation purposes.
2.4.1 Purpose and categories of data
To secure our technical infrastructure, we draw on the following information contained in the HTTP request:
- Your IP address (a sequence of numbers identifying your current computer access point to the web).
- The website you requested.
- Information about the type of internet browser and operating system used.
- Possibly, the web page viewed before visiting our website (referer information).
2.4.2 Legal basis
The information in question is being retained, as we have a legitimate interest (Article 6.1 (f) GDPR) to analyse malfunctions and attacks targeting our technical systems.
2.4.3 Retention of data
Unless security breaches are investigated, the data in question will be deleted within seven days. If breaches of security occur, the data will be deleted as soon as there is no further legitimate interest to retain them.
2.4.4 Your rights
Generally, there is a legal right to request information about the above-mentioned types of data, as well as a right to having them rectified. However, as a rule, the data in question can only be personalised via the IP address.
2.5.1 Purpose and categories of data
Users of our websites may post comments. Whenever this happens, we save the data displayed in the comment form, namely:
- Your name (displayed on the web)
- Your e-mail address (not displayed on the web)
- Your posting (displayed on the web)
If you edit the Kommunalwiki or post comments in this wiki, the following data will be retained:
- If you are not logged in: the IP address (displayed on the web).
- If you are logged into your user account: user name (displayed on the web).
- If you are logged into your user account: e-mail address (not displayed on the web).
- If you are logged into your user account: voluntary information regarding your expertise (displayed on the web).
We also retain the so-called “user agent string” to identify the web browser and support spam prevention.
2.5.2 Legal basis
Data retention and publication is by user consent (Article 6.1 (a) GDPR). The “user agent string” is retained to protect our legitimate interests (Article 6.1 (f) GDPR), namely to filter out spam.
2.5.3 Data Retention
The personal data in question will be retained for an unlimited time period – or until users retract their consent and demand deletion.
2.5.4 Your rights
For this category of data there is a general right to information and rectification.
2.6.1 Purpose and categories of data
For some of our web contents readers have the option to post comments, and such comments may be screened in order to filter out unwanted messages (spam). In order to do this, the following data may be analysed:
- E-mail address
- IP address
- Contents of posting
- Possibly, the web page viewed before visiting our website (referer information)
- Information about the operating system and web browser used
- Time of posting
2.6.2 Legal basis
The data in question is retained and analysed as we have a legitimate interest to filter out spam from comments posted on our website (Article 6.1 (f) GDPR), while, at the same time, keeping the effort required to do so at a reasonable level.
2.6.3 Retention of data
If a comment is categorised as spam, data may be retained indefinitely in order to optimise spam recognition. Where this is not the case, data will not be retained beyond the point of initial spam filtering.
2.6.4 Your rights
For the above categories and regarding permanent retention, there is a general right to information and rectification. A request for deletion will be granted on a case-by-case basis, provided the interest to have ones data deleted outweighs our interest to filter out spam.
2.7.1 Purpose and categories of data
When using the databases provided by our archive for its library, as well as for its collections, you may create and save personalised lists in order to bookmark titles and archival materials that are of interest to you and that you may want to access again at a later date. To enable you to do this, the items selected will be saved along with your user profile for the duration of your session. At the same time, we are using cookies that enable your web browser to bookmark such lists and to retransmit them to us during subsequent sessions.
For statistical purposes, we retain server log files, which may also be used to monitor illegal usage. Here, the following data is retained:
- Your IP address (a sequence of numbers identifying your computer‛s web access point at any given time)
- The website you requested
- The time and date of your request
- The amount of data transferred
- A note if access is from a mobile device
2.7.2 Legal basis
Data is retained as we have a legitimate interest (Article 6.1 (f) GDPR) to offer our visitors ease of access to information and provide them with a good user experience. We also have a legitimate interest to analyse our own systems in case of faults, illegal access, or hacking.2.7.3 Retention of data
Data pertaining to your personalised lists is retained until you decide to delete such a list in your web browser. You may also delete the respective cookie that is stored in your web browser. The corresponding HTML-link will only work for the duration of a session.
IP addresses retained for statistical purposes will be anonymised and these anonymised log files will be deleted after 12 months.
2.7.4 Your rights
You may access your personalised lists online and edit or delete them.
3. Newsletter, Mailing Lists, Subscriptions
When using the named services personal data will be retained for the following purposes
3.1 Establishing contact
3.2 Improving communication
3.1 Establishing contact
3.1.1 Purpose and categories of data
Personal data will be gathered and retained in order to fulfil one of the main missions of the Heinrich Böll Foundation according to § 2 of our statutes. At most, this comprises:
- Core data (name, title, gender / form of address, date of birth, job title, etc.)
- Contact data (mail address, e-mail, phone no., fax no., instant messenger, website, etc.)
- Areas of interest
- Relationship with Foundation, information about when contacted by Foundation
- Professional contacts and information about areas of expertise
- Legal basis for data retention, preferred privacy settings
3.1.2 Legal basis
Data is retained based on user consent (Article 6.1 (a) GDPR), or because the Foundation has a legitimate interest to do so (Article 6.1 (f) GDPR) in pursuance of the goals as set out in its statutes.
3.1.3 Retention of data
In the absence of other legal requirements, personal data will be retained until users retract their consent, submit an objection, or demand that the data be deleted. Additionally, the legal basis for the retention of data will be reviewed on a regular basis and, should no legal basis be applicable anymore, data will be deleted within a reasonable processing period of up to three months.
3.1.4 Your rights
For the above categories you have a general right to information, and you have the right to demand that data be rectified, deleted, or that its processing be limited.
3.2 Improving communication
3.2.1 Purpose and categories of data
In order to improve our external communication when sending out information, we process the following data:
- Successful delivery
- Failed delivery (so-called bounced messages)
- Anonymised percentage of opened messages and click rate for links in messages
3.2.2 Legal basis
The types of data mentioned above are processed because we have a legitimate interest (Article 6.1 (f) GDPR) to improve communications with our contacts.
3.2.3 Retention of data
Personalized newsletters and mailings sent by us will be deleted in their entirety after three years.
3.2.4 Your rights
For the above categories you have a general right to information, and you have the right to demand that data be rectified or deleted, provided the data retained has not been anonymised.
4. Attending events
4.1 Purpose and categories of data
In order to plan, organise, evaluate, and document events, personal data may be retained, as conferences and other events are central to the mission of the Heinrich Böll Foundation (see § 2 of our statutes). At most, the data in question comprises:
- Core data (name, title, form of address, job title, etc.)
- Contact data (mailing address, e-mail, phone no., etc.)
- Information about the event
- Relationship with Foundation, information about when contacted by Foundation
- Legal basis for data retention
- Photos and video taken at the event
4.2 Legal basis
In order to plan and organise an event, as well as for its documentation, the above-mentioned data will be processed on the basis that the participants have registered for the event (Article 6.1 (b) GDPR), see also The General Terms and Conditions for the Eventspace at the Heinrich Böll Foundation.
In order to evaluate events or inform participants about subsequent, similar events or publications, we are processing the above-mentioned data, as we have a legitimate interest to do so (Article 6.1 (f) GDPR), namely, in order to improve events and in pursuance of the Foundation‛s goals as stated in our statutes.
Photos and video taken at events will be processed and some of it published, based on our legitimate interest (Article 6.1 (f) GDPR), namely, in order to support our activities in political education and our public relations efforts.
4.3 Recipients of data
For events that are organised in co-operation with other organisations, the above-mentioned data may be passed on to the partners in question in pursuance of the above-mentioned goals and based on the legal framework referenced earlier.
Once published, pictures and video are accessible in all parts of the world.
4.4 Retention of data
All event participants agree to being contacted and having their data retained for the purposes of planning, organising, evaluating, and documenting the event in question. If there is no subsequent contact with the Foundation, such data will be deleted from our database individually, and after having been reviewed, after a period of 36 months and within a reasonable processing period of up to three months.
For purposes of documentation towards our funders and in compliance with legal requirements, materials related to events will have to be stored for at least ten years.
There is no defined retention period for photographs and video documenting our events, and such materials will be published on our websites as well as via our social media pages.
4.5 Your rights
For the above-mentioned data, you have the right to information and the right to request that incorrect data be rectified.
Regarding the evaluation of events you may withdraw your consent for the retention of your data.
In case of photography and video that focusses on individuals, you have the option to notify us or those we have commissioned or accredited for such purposes that you do not wish to have your picture taken (for example by wearing a specific type of button that is available during events). If this is either not possible or if photographers / videographers ignore such a request, you may contact us and we will try our best to prevent the publication of such images.
5. Ordering Publications
5.1 Purpose and categories of data
For the shipping of publications, we retain, at most, the following data:
- Core data (name, title, form of address, job title, etc.)
- Contact data (mailing and billing address, e-mail, etc.)
- Publications ordered
- Payment details (if applicable)
5.2 Legal basis
Data is retained based on a contractual or a pre-contractual legal relationship (Article 6.1 (b) GDPR).
5.3 Retention of data
As a rule, personal data will be deleted once a publication has been shipped. However, when ordering a publication involves payment, the relevant data will be retained for as long as required by law.
5.4 Your rights
You have the right to information about the above-mentioned types of data, as well as the right to have them rectified, deleted, or have their usage limited, provided there are no legal requirements demanding otherwise.
6. Surveys and evaluations
6.1 Purpose and categories of data
For evaluating the effectiveness of our programmes and activities, we are conducting surveys and handing out questionnaires to participants. For such measures, data will be immediately anonymised. In addition to the responses, we may also record general statistical data, such as gender, age group, migration background, etc.
6.2 Legal basis
The above-mentioned types of data are retained because we have a legitimate interest (Article 6.1 (f) GDPR) to improve our programmes for relevant target groups.
6.3 Retention of data
For surveys and evaluation purposes, no personal data is permanently retained.
6.4 Your rights
There is no right to information about data, nor is to have it rectified or deleted, as all data retained anonymised, making it impossible to relate data to individuals requesting information.
7. Webinars and video conferencing
7.1 Purpose and categories of data
In addition to registering for events that require participation in person (see above for Attending events), there is also the possibility of participating in online formats such as webinars or video conferences. In the latter case, participants only need to register with their name or, alternatively, may use a pseudonym.
Whenever third-party services are used to host such events, the types of data gathered and their usage may be subject to the information privacy policies of the third parties in question.
7.2 Legal basis
For such events, data is retained because you consented (Article 6.1 (a) GDPR) or because registration was mandatory (Article 6.1 (b) GDPR).
7.3 Retention of data
As a rule, webinars and video conferences will not be recorded and thus not retained. In case this is intended, reasons have to be given and prior consent of the participants is required.
7.4 Your rights
There is no right of information, or to have data rectified or deleted, as we do not retain personal data after the event has taken place.
When using third-party services, information regarding your rights may be obtained from the corresponding privacy policies.
8. Applying for jobs and internships
8.1 Purpose and categories of data
Data is only retained and processed for the purpose of conducting the application process for a job or internship you have applied for.
The following data will be retained:
- Personal details
- Address and contact information
- Materials that are part of your application
- Internal assessments of applications
In case you would like to have your travel expenses refunded, we will also have to process your bank account information.
8.2 Legal basis
Data retention and processing according to Article 6.1 (b) GDPR and, where applicable, Article 9.2 (b) GDPR, Article 88.1 GDPR, and § 26 Abs. 1 BDSG (Bundesdatenschutzgesetz = German federal data protection act).
8.3 Recipients of data
8.4 Retention of data
When the application process is finalised, all data will be deleted once the time period for appealing against the process has expired, that is, usually six months after the application process has been finalised.
For all data relating to payments, the mandatory legal retention periods apply.
8.5 Your rights
In case you withdraw your job application, all data will be deleted with the exception of your message notifying us of your withdrawal, which we retain for the above-mentioned retention period, as we have a justified interest to be able to document your withdrawal.
9.1 Types of data
As part of the application and selection process for our scholarship programme, our scholarship department will retain the following personal data:
- Core personal and contact data such as name, date of birth, nationality and information regarding your course of studies or promotion.
- Application data such as date of application, correspondence regarding application procedures, documents submitted as part of the application, expert assessments, and outcomes of the application process.
- If applicable, bank account information for refunding travel expenses.
As part of its scholarship programme, the scholarship department will also retain the following personal data as part of its scholarship files
- All documents that are relevant once a candidate has been accepted into the programme, namely certificates, reports, correspondence (including feedback on annual reports), financial documents, tax documents, income and asset verification, medical reports, bank account information.
- Documents verifying that mandatory events have been attended
This data is retained for the following purposes, specified in more detail in the following
- Implementation of the scholarship programme
- Evaluation and filing
- Transfer of data to facilitate contacts
9.2 Implementation of the scholarship programme
9.2.1 Purpose and legal basis
The collection, retention, and processing of data during the application process and for the duration of the scholarship programme is undertaken in order to review, supervise, and evaluate the funding on the basis of Article 6.1 (b) and (c) GDPR.
Once a candidate is accepted into the scholarship programme, the conditions for funding apply as laid down in the “Verpflichtungs- und Einverständniserklärung‟ (Declaration of Commitment and of Consent).
In order to ascertain that candidates do not receive multiple scholarships, data concerning candidates may be compared to data of other scholarship organisations (for example the German Academic Exchange Service, DAAD) and universities. For this, each year there will be spot checks for certain universities, meaning that the personal data (including family name, first name, address, date of birth, and university) will be transferred to the German Federal Ministry of Education and Research, which will then compare such data with that submitted by other scholarship programmes, the BaföG offices that oversee student grants and loans, the DAAD, and the relevant universities.
9.2.2 Retention of data
All parts of the scholarship file that are relevant for the funding process (including documents submitted as part of the application) have to be retained for ten years, in order to enable the funder to assess that the funding has met all legal criteria. Ten years after the end of the funding – after the last instalment has been disbursed – the data will be deleted at the end of the respective year.
The applications of candidates that have not been awarded a scholarship, will be retained for a period of three years, after which they will be deleted at the end of the respective year, including the personal core and contact data. For all data pertaining to financial information such as refunds for travel expenses when participating in the so-called selection workshops the mandatory legal retention periods apply.
9.2.3 Your rights
Documents submitted, including certificates, application forms, and reports, may be viewed upon request.
Documents created upon request of the scholarship department, such as expert assessments, testimonials, as well as internal documents pertaining to the selection process and the decision to award a scholarship are confidential and may not be viewed by scholarship holders.
9.3 Evaluation and archiving
9.3.1 Purpose and legal basis
The file will also be processed in order to evaluate the non-material as well as the material components of the programme.
Selected files, including forms and documents submitted upon application, will be permanently archived. Files to be archived are not selected independent of the person. Currently all files of scholarship holders whose surnames begin with the letters D or L will be transferred to the archive for permanent retention.
The legal basis for the evaluation and the permanent archiving are the legitimate interests of the Foundation (Article 6.1 (f) GDPR) to process the data in ways that enable it to improve its scholarship programme, as well as for academic, statistical, and archival purposes.
9.3.2 Retention of data
Files archived are retained for an indefinite time period.
9.3.3 Your rights
Those affected may have the right to object to the above-mentioned usages, provided the Foundation cannot prove that there are compelling and valid reasons to do otherwise.
9.3.4 Transfer of data
Currently, personal data will only be passed on to third parties or made accessible for research purposes or publication, if this is required by law and currently required the individuals in question to have given their explicit consent.
9.4 Transfer of data to facilitate contacts
9.4.1 Purpose and legal basis
Scholarship holders can grant general permission for their personal information, including name, address, phone no., e-mail, university, course of study or doctoral subject, and title of their dissertation to be passed on to other scholarship holders, liaison lecturers, departments of the Foundation (including state and international offices) during the scholarship and evaluation periods. If they do so, data will be processed and retained based on their consent and according to Article 6.1 (a) GDPR.
9.4.2 Your rights
You have the right to withdraw your consent at any time.