Name and contact details of controller pursuant to article 4(7) General Data Protection Regulation (GDPR)

Company: PrOut@Work-Foundation (PROUT AT WORK)
Address: Dantestr. 29, 80637 Munich
Phone: +49 89 1434 780 – 0
Fax: +49 89 1434 780 – 29
E-Mail: info@proutatwork.de
Web: www.proutatwork.de

Security and protection of your personal data

PROUT AT WORK takes the protection of your personal data very seriously. We consider it our primary task to protect the confidentiality of the personal data you provide us with, and to protect these data against any unauthorised access. Therefore, we take great care and employ the latest security standards to guarantee maximum protection of your personal data.

As a private-law company, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the provisions of the German Federal Data Protection Act [Bundesdatenschutzgesetz] (BDSG). We have taken technical and organisational measures to ensure that we and our external service providers observe the regulations on data protection.

PROUT AT WORK’s vision and work focusses on creating equal opportunities for LGBT*IQ in the world of work. This inevitably associates you as a private person and the involved company with LGBT*IQ.

Accordingly, PROUT AT WORK will oblige its employees to comply with the data protection regulations.

The following policy declaration provides an overview of how PROUT AT WORK ensures data protection and what types of data are collected for what purpose.

For all questions relating to data protection and all other matters you can contact us at info@proutatwork.de.

Definitions

The legislator stipulates that personal data must be processed lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fair processing, transparency”). To ensure this, we hereby inform you about the individual statutory definitions that are also used in this privacy policy:

1. Personal data

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Processing operations

“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Restriction of processing

“Restriction of processing” is the marking of stored personal data with the aim of limiting their processing in the future.

4. Profiling

“Profiling”is any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

5. Pseudonymisation

“Pseudonymisation” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

6. Filing system

“Filing system” is any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. Controller

“Controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

8. Processor

“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

9. Recipient

“Recipient” is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

10. Third parties

“Third party” is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

11. Consent

“Consent” of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Lawfulness of Processing

The processing of personal data is lawful only if there is a legal basis for the processing. Pursuant to point (a) through (f) of art. 6(1) GDPR, legal basis for processing may include in particular:

  1. The data subject has given consent to the processing of his or her personal data for
    one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Information on the collection of personal data

(1) In the following, we inform you about the collection of personal data when you are using our website. Personal data are, for example name, address, email addresses, user behaviour.

(2) When contacting us per email or using a contact form, the data you provide us with (your email address, name and phone number, if applicable) are stored in order to answer your questions. We delete data collected in this connection once storage is no longer required; if there are statutory obligations to keep the data, we will restrict the processing of the data.

Collection of personal data when visiting our website

If you use our website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we will collect only the personal data transferred from your browser to our server. If you want to visit our website, we collect the following data required for technical reasons in order to be able to display our website and to ensure stability and security (legal basis is point (f) of art. 6(1) sentence 1 GDPR):

  • IP address
  • date and time of request
  • time zone difference to Greenwich Mean Time (GMT)
  • content of request (specific site)
  • access status/HTTP status code
  • data volume transmitted in each case
  • requesting website
  • browser
  • operating system and its interface
  • language and browser software version
Use of cookies

(1) In addition to the data mentioned above, when you use our website, cookies will be stored on your computer. Cookies are small text files stored on your hard disc drive allocated to the browser you used and by means of which the site that set the cookie is provided with specific information. Cookies cannot run a programme or leave a virus on your computer. Their purpose is to make the Internet offering more efficient and more user-friendly.

(2) This website uses the following types of cookies, the scope and function of which will be explained below:

–     transient cookies (see a.)

–     persistent cookies (see b.).

  1. Transient cookies are deleted automatically once you close the browser. These cookies include in particular session cookies. These cookies store the session ID, which enables various requests of your browser to be identified as belonging to a joint session. As a result, your computer may be recognized when you return to our website. Session cookies are deleted once you log out or close the browser.
  2. Persistent cookies are deleted automatically after a predefined period. This period may differ, depending on the respective cookie. You can delete cookies in your browser’s security settings any time.
  3. You can configure your browser settings according to your wishes and , for example, refuse to accept any third-party cookies or any cookies at all. Third-party cookies are cookies set by third parties, i.e. not by the website you are actually visiting. We would like to point out to you that deactivating cookies may result in you not being able to use all the functions of this website.
Use of Google Maps plug-in

On our website, we use a plug-in of the Internet service Google Maps. The Operator of Google Maps is Google Inc., located in the U.S., CA 94043, 1600 Amphitheatre Parkway, Mountain View.

When you use Google Maps on our website, any information on the use of this website and your IP address will be transmitted to a Google server in the U.S., and will also be stored on this server. We have no knowledge of the exact content of data transferred or their use by Google. In this context, the company denies any connection between the data and information from other Google services and the collection of personal data. However, Google may pass this information on to third parties.

If you deactivate JavaScript in your browser, you will prevent Google Maps from being executed. However, this means that you cannot use the map display on our website.

By using our website, you consent to the collection and processing of the data by Google Inc. as set out above.

For details on the privacy policy and terms of use for Google Maps please click here: https://www.google.com/intl/de_de/help/terms_maps.html.

Use of EVENTBRITE events plugins

We use EVENTBRITE functions on our website. Detailed information regarding the Privacy Policy and Terms of Use are available from EVENTBRITE. By using our services (in particular events organised via EVENTBRITE), you agree to the EVENTBRITE privacy policy and terms of use. PROUT AT WORK is not responsible for the lawfulness of EVENTBRITE’s privacy protection

use of matomo

We use Matomo (formerly Piwik) for web analytics, a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, (“Matomo”) using cookie technology. The protection of your data is important to us, which is why we have additionally configured Matomo in such a way that your IP address is only recorded in shortened form. We therefore process your personal usage data anonymously. It is not possible for us to draw conclusions about your person. Further information on the Matomo terms of use and the data protection regulations can be found at: https://matomo.org/privacy/

[matomo_opt_out language=en]

Use of Zoom, Microsoft Teams and other video conferencing tools

Below, we would like to inform you about the processing of personal data in connection with the use of “Zoom, Microsoft Teams and other video conferencing tools” [subsequently referred to as video conferencing tool].

Purpose of processing

We use the video conferencing tool for the purpose of conducting phone conferences, online meetings, video conferences and/or webinars (subsequently: “online meetings”).

Responsible person

The PROUT AT WORK Foundation is responsible for data processing in direct connection with conducting “online meetings”.

Please note: To the extent that you visit the video conferencing tool web page, the provider of the video conferencing tool is responsible for data processing.

What data is being processed?

While using a video conferencing tool, various types of data are being processed. The extent of this data also depends on which details you provide before or during your participation in an “online meeting”.

The following personal data is subject to processing:

User information: given name, surname, phone number (optional), e-mail address, password (unless “single sign-on” is used), profile picture (optional),

department (optional)

Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information

For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.

When dialling in via telephone: information about incoming and outgoing phone numbers, country name, start and end time. Where applicable, further connection data such as the device’s IP address may be stored.

Text, audio and video data: In an “online meeting”, you may have the option to use the chat, question or survey functions. To that extent, the text you enter is processed in order to display it in the “online meeting” and, where applicable, to log it. To enable the display of video and audio playback, the data from your device’s microphone as well as from any video camera your device may have will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or the microphone yourself at any time via the video conferencing tool.

In order to participate in an “online meeting” or enter the “meeting room”, you will have to at least enter information regarding your name.

Extent of processing

We use the video conferencing tool to conduct “online meetings”. If we intend to record “online meetings”, we will inform you in a transparent manner in advance and ask – if required – for your permission. The fact that the meeting is being recorded will also be displayed within the video conferencing tool.

If it is necessary for the purpose of logging the results of an online meeting, we will be logging chat contents. Should we be logging chat contents, we will inform you about this in a transparent manner in advance and – where required – ask for your permission.

For webinars, we may also process questions asked by webinar participants for recording and follow-up purposes.

If you are a registered user of the video conferencing tool, reports about “online meetings” (meeting metadata, data regarding the telephone dial-in, questions and answers in webinars, survey function in webinars) may be stored for up to one month.

Automated decision-making in the sense of Art. 22 DSGVO [General Data Protection Regulation, GDPR] will not be used.

Legal basis for data processing

Where personal data of employees of the PROUT AT WORK Foundation is processed, § 26 BDSG [German Federal Data Protection Act] is the legal basis for data processing. Should personal data in connection with the use of the video conferencing tool not be required for the establishment, execution or termination of employment but nevertheless be an essential part of using the video conferencing tool, Art. 6 par. 1 (f) GDPR is the legal basis for data processing. Our interest in these cases lies in conducting “online meetings” effectively.

Otherwise, the legal basis for data processing when conducting “online meetings” is Art. 6 par. 1 (b) GDPR, provided the meetings are conducted as part of contractual relations.

If no contractual relation exists, the legal basis is Art. 6 par. 1 (f) GDPR. Once again, our interest in these cases lies in conducting “online meetings” effectively.

Recipients / Disclosure of data

Personal data that is being processed in connection with the participation in “online meetings” will not be disclosed to third parties, unless it is specifically intended to be disclosed. Please note that contents from “online meetings”, similar to in-person meetings, often specifically serve to communicate information to customers, interested parties or third parties and are thus intended to be disclosed.

Further recipients: The provider of the video conferencing tool necessarily gains knowledge of the above-mentioned data to the extent provided by our data processing agreement with the video conferencing tool.

Data processing outside the European Union

Some video conferencing tools include services delivered by a provider from the USA. Processing of personal data thus also takes place in a third country. We have signed data processing agreements with the providers of the video conferencing tools that fulfill the requirements of Art. 28 GDPR.

An adequate level of data protection is guaranteed by the “Privacy Shield” certification of Zoom Video Communications, Inc. on the one hand and through the conclusion of the so-called EU Standard Contractual Clauses on the other.

Further features and services available on our website

(1) In addition to using our website for purely informational purposes, we also offer various services you can use if you are interested. You will generally be required to provide further personal data that we use in order to render the respective service; for these data, the principles on data processing as set out above apply.

(2) When processing your data, we use external providers in some cases. These have been carefully selected and instructed by us, are bound by our instructions, and are monitored on a regular basis.

(3) Furthermore, we may disclose your personal data to third parties where promotions, competitions, concluding agreements or similar services are offered by us together with partners. You will receive further information in this regard when you provide us with your personal data, or you can also refer to the description of the service below.

(4) To the extent our providers or partners are resident outside the European Economic Area (EAA), we will inform you about the consequences of this circumstance in the service description.

Newsletters

(1) With your consent, you can subscribe to our newsletter, in which we inform you about our current interesting offers. The goods and services promoted are specified in the declaration of consent.

(2) For subscription to our newsletter we use the double opt-in procedure. This means that after you have subscribed to the newsletter we will send you an email to the email address you provided us with in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your subscription within 24 hours, your information will be blocked and deleted automatically after one month. Furthermore, we store the IP addresses you used and the times of your subscription and confirmation. The purpose of this procedure is to prove that you have subscribed to the newsletter and to help investigate any misuse of your personal data, if applicable.

(3) Data required for sending you the newsletter include your email address and your full name. The provision of further, specifically marked data is voluntary. Those data are used to contact you personally. Following your confirmation, we store your email address for the purpose of sending you the newsletter. The legal basis is point (a) of art. 6(1) sentence 1 GDPR.

(4) You may revoke your consent to receiving the newsletter at any time and unsubscribe to the newsletter. You can revoke your consent by clicking on the link provided in every newsletter email, by using the form on our website, via email to info@proutatwork.de or by contacting us using the contact data specified in the legal notice [Impressum].

(5) We would like to point out to you that we analyse your user behaviour after we sent out our newsletter. For this analysis, the emails sent by us contain web beacons and/or tracking pixels that are single-pixel images stored on our website. For this analysis, we link the data specified under section 3 and the web beacons with your email address and an individual ID. The data are collected in a pseudonymised manner only, i.e. the IDs are not linked to your further personal data, meaning that the data cannot be used to directly identify the data subject. You can revoke your consent to this form of tracking at any time by clicking on the separate link provided in every email, or informing us using another means of contact. Information is stored for as long as you subscribe to the newsletter. Once you have unsubscribed to our newsletter, we store the data for mere statistical purposes and in an anonymous manner.

Further services offered by PROUT AT WORK
Personal data in general networking

The work of PROUT AT WORK is based on networking, the connecting of suitable contacts and the continuous extension of this network. To connect the contacts in our network, we collect, store and, upon request of members of our network, forward the following personal data.

  • Full name
  • Company name
  • Position in the company
  • Company address
  • Name of LGBT*IQ network in which the person is active
  • Phone number at work
  • Mobile phone number
  • Further (mobile) phone numbers we have been provided with
  • Business email address
  • Network email address
  • Further email addresses we have been provided with
  • Consent to data protection clause
  • Consent to personal data being disclosed to members of our network and cooperation partners
Personal data at the PROUT AT WORK Conference

In order to plan and hold the annual PROUT AT WORK Conference, we collect and store the following personal data:

Attendees:

  • Full name
  • Company name
  • Position in the company
  • Email address
  • Name of LGBT*IQ network in which the person is active

Speakers:

  • Full name
  • Company name
  • Position in the company
  • Images
  • Short CV
  • Email address

Sponsors:

  •  Company name
  • Company logo
  • Type of sponsoring

The data relating to speakers and sponsors is disclosed to cooperation partners for graphical processing in connection with the creation of our conference brochure, and can be accessed by those who attend our conference, as they are published in our conference brochure.

You can register as an attendee on Xing Events. PROUT AT WORK is not responsible for the legality of XING Events’ data protection.

After the event, an opinion survey is conducted using www.surveymonkey.de. By participating in the survey, you consent to Surveymonkey’s data protection policy. PROUT AT WORK is not responsible for the legality of Surveymonkey’s data protection.

Personal data at PROUT AT WORK Deep Dives

In order to plan and hold the PROUT AT WORK Deep Dives, we collect and store the following personal data:

Attendees:

  • Full name
  • Company name
  • Position in the company
  • Email address
  • Name of LGBT*IQ network in which the person is active

You can register as an attendee on Xing Events. PROUT AT WORK is not responsible for the legality of XING Events’ data protection.

After the event, an opinion survey is conducted using www.surveymonkey.de. By participating in the survey, you consent to Surveymonkey’s data protection policy. PROUT AT WORK is not responsible for the legality of Surveymonkey’s data protection.

Personal data at the PROUT AT WORK workshop “Should I or shouldn’t I?”

In order to plan and conduct the PROUT AT WORK workshop “Should I or shouldn’t I?”, we collect and store the following personal data:

Attendees:

  • Full name
  • Company name
  • Email address
  • Mobile phone number

These data will be shared with the attendees by including them in the workshop minutes. Your personal data will be treated anonymously as far as your employer is concerned.

Personal data when attending DINNER BEYOND BUSINESS

In order to plan and hold the DINNER BEYOND BUSINESS event, we collect and store the following personal data:

Attendees:

  • Full name
  • Company name
  • Position in the company
  • Company address
  • Email address
  • Name of contact/assistant
  • Email address of assistant
  • Name of further contact(s)
  • Email address of further contact(s)
Personal data when participating in the PROUTEMPLOYER programme

When participating in the PROUTEMPLOYER programme, the following personal data are collected and processed:

Company data:

  • Company name
  • Company logo
  • Company address
  • Consent to data protection clause
  • Consent to personal data being disclosed to members of our network and cooperation partners

Contacts at the PROUTEMPLOYER companies:

  • Full name of contacts
  • Positions of contacts in the company
  • Name of LGBT*IQ network in which the person is active
  • Phone number of contacts at work
  • Mobile phone number of contacts
  • Further (mobile) phone numbers of the contacts we have been provided with
  • Business email address of contacts
  • Consent to data protection clause
  • Consent to personal data being disclosed to members of our network and cooperation partners

LGBT*IQ company network of PROUTEMPLOYERs:

  • Full name of contacts
  • Positions of contacts in the company
  • Name of LGBT*IQ network in which the person is active
  • Phone number of contacts at work
  • Mobile phone number of contacts
  • Further (mobile) phone numbers of the contacts we have been provided with
  • Business email address of contacts
  • Network email address
  • Further email addresses of contacts we have been provided with
  • Consent to data protection clause
  • Consent to personal data being disclosed to members of our network and cooperation partners

As a PROUTEMPLOYER, you regularly feature in PROUT AT WORK publications and will, in cooperations with PROUT AT WORK, be mentioned at least with your company data.

  • Publication on our website www.proutatwork.de
  • Publication on our website www.proutemployer.de
  • Publication in our annual activity report
  • Sharing on social media channels (Facebook, Linked In, Instagram, Xing)
Personal data on the TOP 100 list in connection with www.outexecutives.de

In order to prepare the TOP 100 OUT EXECUTIVES list, the following personal data are collected and processed:

Nominee:

  • Full name
  • Company name
  • Email address
  • Job title/position
  • Company/organisation
  • Location of company
  • Number of employees of the company
  • What tasks does your position involve
  • Position below management board level
  • Scope of budget responsibility
  • Personnel responsibility and structure of working day
  • What you do to make the working environment more appealable to your LGBT+ employees
  • Situation in which you learned of discrimination against another person in connection with sexual orientation and/or gender identity at work and how you dealt with it
  • Commitment outside work to promote visibility and equality of LGBT+ community
  • Further data provided
  • Consent to data protection clause
  • Your CV

Judges:

  • Full name
  • Company name
  • Email address
  • Consent to data protection clause

The TOP 100 OUT EXECUTIVES list is a cooperation with UHLALA GmbH managing director: Stuart Cameron, Wichertstr. 9A, 10439 Berlin. PROUT AT WORK will oblige its cooperation partner UHLALA GmbH to comply with the data protection regulations accordingly.

As our cooperation partner, UHLALA GmbH is itself responsible for complying with the data protection regulations.

Personal data when placing an order

When you place an order with us, we will store the following data:

  • Status PROUTEMPLOYER
  • Company name
  • Contact
  • Department
  • Delivery address
  • Invoice address
  • Contact information (email)
Children

Our services are generally targeted at adults. Persons under the age of 18 should not provide us with personal data without the consent of their parent or guardian.

Rights of the data subject

1. Withdrawal of consent

If the processing of personal data is based on consent granted, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

You can contact us at any time if you wish to exercise your right of withdrawal.

2. Right to confirmation

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed. You can request this confirmation at any time using the aforementioned contact details.

3. Right of access

Where personal data are being processed, you can obtain access to these personal data and the following information at any time:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards pursuant to art. 46 GDPR relating to the transfer. We will provide a copy of the personal data undergoing processing. For any further copies requested by you, we may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, the information will be provided in a commonly used electronic form. The right to obtain a copy referred to above must not adversely affect the rights and freedoms of others.

4. Right to rectification   

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

5. Right to erasure (“right to be forgotten”)

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and we have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. The data subject withdraws consent on which the processing is based according to point (a) of art. 6(1), or point (a) of art. 9(2) GDPR, and where there is no other legal ground for the processing.
  3. The data subject objects to the processing pursuant to art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to art. 21(2) GDPR.
  4. The personal data have been unlawfully processed.
  5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data have been collected in relation to the offer of information society services referred to in art. 8(1) GDPR.

Where the controller has made the personal data public and is obliged pursuant to art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure (“right to be forgotten”) does not exist to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of art. 9(2) as well as art. 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89(1) GDPR in so far as the right referred to in art. 17(1) GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

6. Right to restriction of processing

You have the right to obtain from us restriction of processing of your personal data where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. the data subject has objected to processing pursuant to art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the above prerequisites, such personal data will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The data subject can contact us at any time via the contact details stated earlier if he or she wishes to assert his or her right to a restriction of processing.

7. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to point (a) of art. 6(1) or point (a) of art. 9(2) GDPR or on a contract pursuant to point (b) of art. 6(1) GDPR and
  2. the processing is carried out by automated means.

In exercising the right to data portability pursuant to art. 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability is without prejudice to the right to erasure (“right to be forgotten”).That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

8. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of art. 6(1) GDPR, including profiling based on those provisions. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to art. 89(1) GDPR, you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You can exercise the right to object at any time by contacting the data controller concerned.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller,
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or
  3. is based on the data subject’s explicit consent.

The data controller will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

The data subject can exercise this right at any time by contacting the data controller concerned.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to you infringes the GDPR.

11. Right to an effective judicial remedy

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to art. 77GDPR, you have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR.

Annex 1 – Technical and organisational measures (TOMs)

The technical and organisational measures which the provider must as a minimum establish and maintain on an ongoing basis to ensure data protection and data security are set out below. The aim is to guarantee in particular the confidentiality, integrity and availability of the information processed on behalf of others. The technical and organisational measures taken are documented by the contractor and agreed and arranged in communication with the principal.

Confidentiality pursuant to art. 32(1)(b) of the General Data Protection Regulation (GDPR)

Meaning: Your TOMs within the meaning of the GDPR should protect the confidentiality of the systems, services and data used. They should prevent unauthorised or unlawful processing. (Art. 32(1)(b) GDPR)

Control of admittance: measures to deny unauthorized persons admittance to data processing equipment used for processing personal data:

  • security locks
  • doors with a knob on the outside
  • no access to the office without an employee being present
  • seamless traceability of external visitors by way of a calendar system

Control of access: measures to prevent unauthorised persons from using the data processing equipment and procedures:

  • login with user name and password
  • antivirus software servers
  • antivirus software clients
  • firewall
  • mobile device management
  • use of VPNs in the case of remote access
  • automatic desktop lock
  • management of user privileges
  • guideline on “secure passwords”

Control of access rights: measures which ensure that those authorised to use the data processing procedures only have access to the personal data for which they have access authorisation:

  • introduction of user and role concepts for internal systems
  • file shredders
  • minimal number of administrators
  • management of user rights by administrators

Separation control: measures to ensure that data collected for different purposes can be processed separately

  • laying down database rights
  • introduction of access authorisations for internal systems
  • separation of internal WLAN and guest WLAN/no passing on of the internal WLAN key to external parties

Integrity (art. 32(1)(b) GDPR)

Meaning: integrity means that the data collected from you cannot be altered or destroyed either intentionally or unintentionally (protection against forgery)

Transmission control: measures which prevent unauthorised reading, copying, alteration or removal of data during electronic transfer, for example using encryption, virtual private networks (VPNs), electronic signatures:

  • use of SSL-encrypted transmission paths on the Internet
  • protecting documents sent by post (e.g. by using non-transparent envelopes)
  • email encryption
  • use of VPN
  • provision via encrypted connections such as https

Input control: measures to determine if personal data have been input into, altered or removed from the data processing systems and, if so, by whom. This can be done by way of logging or document management.

  • technical logging of the inputting, alteration and erasure of data
  • introduction of user and role concepts for internal systems
  • introduction of customised access for internal systems
  • use of personalised logins in the company network

Availability (art. 32(1)(b) GDPR)

Meaning: data and the systems necessary for their processing should always be available when they are required

Availability control: measures to ensure that personal data are protected against accidental destruction or loss (e.g. backups)

  • RAID system/hard disk mirroring
  • surge protection power strips for servers
  • no sanitary connections in or above the server room
  • regular implementation of updates

Other kinds of measures (art. 32(1)(d) GDPR; art. 25(1) GDPR)

Data protection management: a process for regularly testing, assessing and evaluating data protection and the effectiveness of the technical and organisational measures laid down

  • erasure of data no longer needed
  • secure disposal of defective hardware/hardware no longer needed
  • secure disposal of documents/file shredder
  • employees trained and obliged to maintain confidentiality and data secrecy
  • regular raising of employees’ awareness (annually and repeatedly during the course of everyday business)

Incident response management: support in responding to security breaches

  • use of firewalls and regular updating thereof
  • use of spam filters and regular updating thereof
  • use of virus scanners and regular updating thereof

Data-protection-friendly measures:

  • simple execution of the right of withdrawal by the data subjects through technical measures

Job control: measures which ensure that personal data processed on behalf of others are processed strictly in accordance with the principal’s instructions

  • conclusion of contracts with service providers for the processing of jobs
  • selection of suitable partners with due consideration of data protection issues
  • advising/educating clients (networks, PROUTEMPLOYER, attendees) on the subject of personal data
Annex 2 – Processors

We make use of external service providers (processors). Separate job processing contracts have been concluded with the service providers in order to ensure that personal data is protected.

We work together with the following processors:

Liane Zimmermann c/o complizenwerk

Address: Schwanthalerstraße 76 Rgb., 80336 Munich
Activity: graphic design and layout design

Tobias Nuspl TNSYS

Address: Leo-Graetz-Straße 16, 81379 Munich
Activity: IT consultation, technical support and expansion of the IT infrastructure

Plattenbrand GmbH

Address: Gentzstraße 3, 80796 München
Activity: website progamming and webhosting

Sandra Hachmann

Address: Brucknerstraße 4, 81677 Munich
Activity: copywriter; editing, revising and writing texts

Bank für Sozialwirtschaft AG

Address: Konrad-Adenauer-Ufer 85, 50668 Cologne
Activity: use of the fundraising tool BFS-Net.Tool XXL

Michael Rademacher

Address: Hofheimer Str. 31; 97437 Haßfurt
Activity: Website programming

Webgo GmbH

Address: Wandsbeker Zollstr. 95; 22041 Hamburg
Activity. Web hosting