Data protection

Our website data protection information is organised as follows:

A. Controller
B. Processing of personal data
C. Your rights

To ensure ease of legibility, gender-neutral pronouns have been used in this document. All personal information applies equally to all genders.

A. Controller

The controller responsible for processing personal data is:
Baden-Württemberg Stiftung gGmbH
Kriegsbergstraße 42
70174 Stuttgart
Tel.: +49 (0)711 248 476 -0
E-mail: info[at]bwstiftung(dot)de

You can contact our Data Protection Officer at:
Baden-Württemberg Stiftung gGmbH
Data Protection Officer
Frank Grossmann
Kriegsbergstr. 42
70174 Stuttgart
grossmann[at]bwstiftung(dot)de

B. Processing of personal data

In this section, you can read more about how personal data is collected, as well as the purposes for which it is processed and on what legal basis. You can also learn to whom the data is disclosed and for what purpose, and under what conditions it is deleted.

1. Technical and functional provision of the website

We process personal data in order to provide our website in accordance with statutory regulations, and with the fewest possible technical or functional restrictions.

a. Logs

When you visit our website, we store certain access details, such as your browser type and version, the operating system used, the previously visited website, the access date and time of the server query, and the file request of the client (file name and URL). We use this data in anonymised form for statistical analyses, without associating the data with an individual user.

The purpose of this data processing is to ensure that the website can be called up and displayed correctly on your device, and to optimise our website. We have a legitimate interest in doing so. The legal basis for processing are Art. 6 para. 1 clause 1 lit. f GDPR and Sec. 15 of the Telemedia Act (TMG).

b. Consent Management Tool

In order to obtain and document your consent to data processing by a variety of services, our website uses the Consent Management Tool ("CMT") of consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg ("consentmanager").

When you open our website, you can submit declarations of consent via the CMT for individual data processing procedures; these are then stored by the CMT. consentmanager stores cookies on our behalf for this purpose. These are small text files saved on your computer. These include the following cookies:

  • __cmpcc: Functional duration: 1 year; access only on our behalf by consentmanager.
  • __cmpcccu13211: Functional duration: 1 month; access only on our behalf by consentmanager.
  • euconsent-v2: Functional duration 1 year; access only on our behalf by consentmanager.
  • nc_euconsent: Functional duration 2 weeks; access only on our behalf by consentmanager.

The cookies can be used to track which data processing you have consented to by which services, and which you have not consented to, the next time you open the website. This means that you do not have to adjust your cookie settings each time you visit the site. Of course, you can also change your selection later on using the settings. You can open the settings at any time using the check mark symbol at the bottom left of our website.

We use the CMT so that you can consent to a variety of data processing procedures, and revoke consent you have previously granted. We are obligated by law to obtain and document your consent. The legal basis for data processing using the CMT is Art. 6 para. 1 clause 1 lit. c GDPR.

Further information on the CMT and data protection at consentmanager is available at: https://www.consentmanager.net/privacy.php.

2. Contacting us, contact and order form

We collect personal data when you share it with us. This may include, for instance, data which you enter into an order or contact form, or which you transmit to us when you contact us. If certain input fields are marked as “mandatory fields”, we use these fields to collect the data required to carry out the desired measures. Of course, you are welcome to provide us with additional data if you want.

This data is processed on the basis of Art. 6 para. 1 clause 1 lit. b GDPR, if this is necessary in order to carry out the measures you request. In all other cases, the processing is based on our legitimate interest in effectively processing the inquiries submitted to us (Art. 6 para. 1 clause 1 lit. f GDPR).

3. Request portal

You can use our request portal to submit requests in conjunction with projects. The request portal is provided on our behalf by XIMA MEDIA GmbH, Sudhausweg 9, 01099 Dresden ("XIMA").

If certain input fields are marked as “mandatory fields” in the request process, we use these fields to collect the data required to process your request. Of course, you are welcome to provide us with additional data if you want.

This data is processed on the basis of Art. 6 para. 1 clause 1 lit. b GDPR, if this is necessary in order to process your request. In all other cases, the processing is based on our legitimate interest in effectively processing the inquiries submitted to us (Art. 6 para. 1 clause 1 lit. f GDPR).

if you have consented to this (Art. 6 para. 1 clause 1 lit. a GDPR), we can transmit your contact information to participants in other projects in order to promote discussion between yourself and them.

4. Advertising measures, in particular the e-mail newsletter

We can use your data for advertising purposes. We have a legitimate interest to use your data for the purpose of direct advertising, in the sense of Art. 6 para. 1 clause 1 lit. f GDPR.

If you have consented to this, (Art. 6 para. 1 clause 1 lit. a GDPR), we will also use your data to send an e-mail newsletter. The newsletter uses a technical design which allows us to see whether you have opened it. Statistical information on opening rates, clicks, unsubscriptions, and bounces (response if a newsletter cannot be delivered) is stored and processed in this context. The collected information is used to make the newsletter more attractive for you in the future.

You can revoke your consent to receive the newsletter at any time using the “unsubscribe” link provided for this purpose in each e-mail newsletter, or by sending a message to the contact information provided above. Furthermore, you can object to the processing of your personal data for advertising purposes with future effect either in writing, by fax, by e-mail, or by phone, without incurring any costs for this beyond the costs of transmitting the message according to the base tariff rates. The legality of any data processing carried up to that point shall remain unaffected.

The newsletter is sent out by a service provider which is bound to follow our instructions and obligated to uphold data protection law specifications, and which may not use the data for any other purpose.

5. Further processing of personal data on our website

a. Google services

If you have consented to this, this website uses services provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland ("Google").

aa. General information on Google services, legal basis

In order to provide these services, Google processes personal data. The legal basis for data processing by the Google services is your consent under Art. 6 para. 1 clause 1 lit. a GDPR.

It is possible that information collected by Google services may be transmitted to a Google server in a third country, in particular to a server belonging to the parent company of Google, Google LLC, which is headquartered at 1600 Amphitheatre Parkway, Mountain View, California, USA, and stored there. Transmitting personal data to the USA is associated with particular risks for data subjects. Therefore, Google services are only integrated and only permitted to process data with your express consent. Further information on data transmission to third countries is provided under clause 7.

If you are logged into your Google account, then Google can add processed information to your account if your account settings permit this, and can treat it as personal data, cf. in particular https://www.google.de/policies/privacy/partners/. We receive no information on the data collected in this manner, or its usage.

Further information on data processing by Google is available at:

bb. Google Maps

This website uses Google Maps to visually represent geographic information and to generate directions.

The embedding of Google Maps is linked to your settings in our Content Management Tool. Therefore, you are initially shown only a preview image on our website, without any connection being formed to Google. Only after you have activated the map function in the settings, by moving a controller, is a connection to Google formed. When you do so, your IP address will be forwarded to Google's servers, and Google will be informed that your IP address was used to visit our website. In addition, based on the information Google has provided, it can collect data on your user behaviour through cookies, which are small text files stored on your computer. These include the following cookies:

  • DV: Functional duration: 1 day; Google receives access to the processed data.
  • ANID: Functional duration: 1 year; Google receives access to the processed data.
  • NID: Functional duration: 6 months; Google receives access to the processed data.
  • 1P_JAR: Functional duration: 1 month; Google receives access to the processed data.
  • CONSENT: Function: Stores whether a visitor has granted their consent to data processing by Google Maps; functional duration: 37 years; Google receives access to the processed data.

You can also deactivate the Google Maps service, and thereby prevent data transfer to Google, by deactivating JavaScript using your browser settings. However, please note that if you do so you will not be able to display maps.

Further information on Google Maps is available at: https://www.google.com/intl/de_de/help/terms_maps.html (Terms of Use for Google Maps).

cc. YouTube

We have integrated videos from the Google service YouTube so that you can view these on our website.

The embedding of YouTube is linked to your settings in our Content Management Tool. Therefore, you are initially shown only a preview image on our website, without any connection being formed to Google. Only after you have activated the video play function in the settings, by moving a controller, is a connection to Google formed. When you do so, your IP address will be forwarded to Google's servers, and Google will be informed that your IP address was used to visit our website. In addition, based on the information Google has provided, it can collect data on your user behaviour through cookies, which are small text files stored on your computer. These include the following cookies:

  • 1P_JAR: Functional duration: 1 day; Google receives access to the processed data.
  • NID: Functional duration: 6 months; Google receives access to the processed data.
  • ANID: Functional duration: 1 year; Google receives access to the processed data.
  • DSID: Functional duration: 1 day; Google receives access to the processed data.
  • IDE: Functional duration: 1 year; Google receives access to the processed data.
  • CONSENT: Function: Stores whether a visitor has granted their consent to data processing by YouTube; functional duration: 37 years; Google receives access to the processed data.

You can also deactivate the embedding of YouTube videos, and thereby prevent data transfer to Google, by deactivating JavaScript using your browser settings. However, please note that if you do so you will not be able to use the video function.

Further information on YouTube is available at https://www.youtube.com/t/terms (Terms of Use of YouTube).

d. Matomo (formerly Piwik)

If you have consented to this, we use the open source web analytics software “Matomo” on our website.

We use Matomo to collect and process personal data for optimisation and marketing purposes. This includes, in particular, the visitor’s IP address, which is anonymised directly, a randomly assigned user ID, the date and time of the first, last, and current access of our website, the total number of visits to our website, the visitor’s location, and the visitor's language settings. Cookies, which are small text files, are saved on your computer in order to collect the data. These include the following cookies:

  • _pk_id.: Function: Assigns a long-term ID to the visitor, functional duration: 1 year; processed data is accessed only by us or our website supervisors on our behalf.
  • _pk_ses.: Function: Assigns an ID to the visitor for the duration of their current visit; functional duration: Session; processed data is accessed only by us or our website supervisors on our behalf.

The collected data is used to create and analyse pseudonymous usage profiles. The pseudonymous usage profiles relate only to our website. There is no cross-service or cross-website tracking. Likewise, the individual users are not identified personally.

Your personal data is processed by Matomo only if you have consented to this. The applicable legal basis in this respect is Sec. 15 para. 3 clause 1 TMG.

Further information on data processing by Matomo is available at:

 

6. Transmission of data to third parties

Your personal data is transmitted to third parties only if this is necessary for the purpose of carrying out a contract (Art. 6 para. 1 clause 1 lit. b GDPR), if you have expressly agreed to the transmission (Art. 6 para. 1 clause 1 lit. a GDPR), or if data protection law permits such transmission. However, only the necessary data is transmitted in each case.

Categories of recipients of personal data not bound to observe our instructions are: Providers of map and video services, providers of donation forms and creators of donation projects.

Categories of service providers bound to observe our instructions and obligated under data protect law to not use the data for any other purpose are: Service providers which provide services related to providing inquiry forms, sending the newsletter, and providing website support and hosting.

7. Transmission to third countries

Services from companies headquartered in the USA or with a relationship to the USA are embedded in our website. If you consent to data processing by one of these service providers, it is possible that US authorities may receive unrestricted access to your processed personal data. You have no legal recourse against such access. Specifically, these include the following service providers:

1.       Service: Google Maps

Provider: Google Ireland Limited, Dublin/Ireland

Parent company: Google LLC, Mountain View/USA

2.       Service: YouTube

Provider: Google Ireland Limited, Dublin/Ireland

Parent company: Google LLC, Mountain View/USA

It is possible that the companies or their respective parent entities and/or US authorities may access personal data which was processed in order to provide the services.

In the past, this transmission of personal data to the USA has been justified because the companies or the parent entities of the companies were certified according to the EU-US Privacy Shield, however this was declared invalid in July of 2020 by the European Court of Justice. Transmission on the basis of the so-called standard data protection clauses pursuant to Art. 46 para. 2 lit. c GDPR is not possible, because the high standards of the ECJ and data protection supervisory authorities for further agreements with companies in the USA have (not yet) been fulfilled. Negotiations regarding a follow-up agreement to the Privacy Shield have been held between the USA and EU. However, it is not possible to know when these will be concluded.

Therefore, we use these services only with your prior express consent, and inform you expressly of the following, with respect to the risks of data transmission to one of the service providers listed above:

Based on the authorities of the US secret services and the legal situation in the USA, state monitoring activities carried out by the USA are excessive, and from the standpoint of the EU an appropriate level of data protection is not provided by the state for personal data. In particular, Sec. 702 of the American Foreign Intelligence Surveillance Act (FISA) includes no restrictions to monitoring activities by secret services, and provides no guarantees to non US citizens. The Presidential Policy Directive 28 (PPD-28), furthermore, provides data subjects with no effective legal recourse against measures carried out by the US authorities, and includes no barriers for ensuring reasonable measures. In addition, under the US Cloud Act, US authorities can request that US companies provide all of the data they have saved, even if this data is located on servers within the EU.

8. Deletion of data

We store the personal data that we process for as long as necessary to achieve the respective purpose – in particular to process your inquiry or request – in consideration of statutory retention periods (such as, in accordance with the Commercial Code and tax code, ten years for tax-relevant documents or six years for other business-related correspondence) (Art. 6 para. 1 clause 1 lit. c GDPR). It is possible that data may be stored beyond the statutory retention periods if you have consent to this in accordance with Art. 6 para. 1 clause 1 lit. a GDPR, or if the purpose for data processing is still applicable.

C. Your rights

 

1. Deactivation of cookies

Some of the processing procedures explained above use cookies. Most browsers accept cookies automatically. If you do not want your browser to do so, you can deactivate the storage of cookies on your hard drive using your browser settings. In addition, you can delete cookies that have been saved at any time using your browser settings. However, if you do so, you may not be able to use all functions of our website in full.

2. Right of revocation

Some of the processing procedures explained above are carried out only with your consent. You can revoke your consent to carry out these processing procedures at any time, with future effect. However, if you do so you may no longer be able to use our services as usual until you have consented to the respective data processing once again. You can exercise your right of revocation using the Consent Management Tool. You can open this tool at any time using the check mark symbol at the bottom left of our website. This also allows you to consent to individual data processing procedures once again.

3. Right to object

You can object to the use of personal data for the purpose of direct advertisement at any time; you can also object to the use of personal data on the basis of Art. 6 para. 1 lit. e or f GDPR for reasons related to your specific situation at any time with future effect, without incurring any costs for this beyond the base tariff rates for the transmission costs.

4. Rights to information, rectification, deletion or restriction, and portability

According to the requirements of Art. 15 to 20 GDPR, you have the right to receive information on the personal data we have saved on you free of charge, to request that incorrect data be rectified, and to request that data be deleted or processing be restricted, as well as the right to request the transfer of your personal data. In some cases, however, we are not allowed to delete all user data due to statutory retention periods.

5. Right to submit complaints

You have the right to submit complaints to a supervisory authority. The supervisory authority responsible for us is the State Officer for Data Protection and Freedom of Information for Baden-Württemberg, Königstraße 10a, 70173 Stuttgart.