Person in charge
B.A.C.A. International Germany e.V.

P.O. Box 850134

DE-51026 Cologne

Authorized representatives: Mark “Noise” Manski

E-mail address: President@germany.bacaworld.org

Imprint: https://bacaworld.org/germany

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

• Inventory data (e.g. names, addresses)
• Content data (e.g. entries in online forms)
• Contact details (e.g. e-mail, telephone numbers)
• Meta/communication data (e.g. device information, IP addresses)
• Usage data (e.g. websites visited, interest in content, access times)
• Contract data (e.g. subject matter of the contract, term, customer category)
• Payment data (e.g. bank details, invoices, payment history)

Categories of data subjects

• Business and contractual partners
• Communication
• Members
• Users (e.g. website visitors, users of online services)

Purposes of processing

• Office and Organization Procedures
• Contact requests and communication
• Provision of contractual services and customer service
• Managing and responding to inquiries

E-mail address: DataProtectionOfficer@germany.bacaworld.org

In the following, we provide the legal basis of the General Data Protection Regulation (GDPR), on the basis of which we process the personal data. Please note that in addition to the regulations of the GDPR, the national data protection regulations may apply in your or our country of residence and domicile. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR) – The data subject has given his or her consent to the processing of personal data concerning him or her for a specific purpose or purposes.
• Performance of a contract and pre-contractual requests (Art. 6 (1) sentence 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (§ 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. In addition, state data protection laws of the individual federal states can be applied.

In accordance with the legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability and separation. We have also put in place procedures to ensure that the rights of data subjects are exercised, that data is deleted and that data is endangered. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes in accordance with the principle of data protection, through technical design and through data protection-friendly default settings.

As part of our processing of personal data, the data may be transmitted to or disclosed to other bodies, companies, legally independent organisational units or persons. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfers within the organization: We may transfer personal information to other entities within our organization or provide them with access to that information. If this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and business interests or takes place if it is necessary for the fulfilment of our contractual obligations or if the consent of the data subjects or legal permission has been obtained.

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to explicit consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).

Cookies are text files containing data from visited websites or domains that are stored on the user’s computer by a browser. A cookie is primarily used to store information about a user during or after his visit within an online offer. The stored information may include, for example, the language settings on a website, the login status, a shopping cart or the place where a video was watched. The term cookies also includes other technologies that perform the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also known as “user IDs”)

The following types of cookies and functions are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
• Persistent cookies: Persistent cookies remain stored even after the browser is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Similarly, the interests of users used for reach measurement or marketing purposes may be stored in such a cookie.
• First-party cookies: First-party cookies are set by ourselves.
• Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
• Necessary (also: essential or strictly necessary) cookies: On the one hand, cookies may be absolutely necessary for the operation of a website (e.g. to store logins or other user inputs or for security reasons).
• Statistics, marketing and personalisation cookies: Furthermore, cookies are usually also used in the context of reach measurement and when a user’s interests or behaviour (e.g. viewing certain content, using functions, etc.) are stored in a user profile on individual websites. Such profiles are used to show users, for example, content that corresponds to their potential interests. This procedure is also known as “tracking”, i.e. tracking the potential interests of users. If we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or as part of obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in the business operation of our online offer and its improvement) or if the use of cookies is necessary to fulfil our contractual obligations.

Storage period: Unless we provide you with explicit information on the storage period of permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage period can be up to two years.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to withdraw any consent you have given or to object to the processing of your data by cookie technologies (collectively referred to as “opt-out”). You can first declare your objection by means of the settings of your browser, e.g. by deactivating the use of cookies (whereby this may also limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can obtain further objection notices as part of the information on the service providers used and cookies.

Processing of cookie data on the basis of consent: Before we process or have processed data in the context of the use of cookies, we ask users for consent, which can be revoked at any time. Until consent has been given, cookies will be used that are absolutely necessary for the operation of our online offer.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

We process the data of our members, supporters, interested parties, business partners or other persons (collectively “data subjects”) if we have a membership or other business relationship with them and perform our tasks and are recipients of services and benefits. In addition, we process the data of data subjects on the basis of our legitimate interests, e.g. when it comes to administrative tasks or public relations.

The data processed in this context, the type, scope and purpose and the necessity of its processing are determined by the underlying membership or contractual relationship, which also results in the necessity of any data information (in addition, we refer to required data).

We delete data that is no longer necessary for the performance of our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data for as long as it may be relevant for the purpose of conducting business and for any warranty or liability obligations based on our legitimate interest in regulating them. The necessity of retaining the data is regularly reviewed; in all other respects, the statutory retention obligations apply.

• Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject matter of the contract, term, customer category).
• Data subjects: Users (e.g. website visitors, users of online services), members, business partners and contractual partners.
• Purposes of processing: Provision of contractual services and customer service, contact requests and communication, management and response to requests.
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

When contacting us (e.g. via contact form, e-mail, telephone or via social media), the details of the enquiring persons will be processed insofar as this is necessary to answer the contact enquiries and any measures requested.

The response to contact enquiries within the framework of contractual or pre-contractual relationships is carried out in order to fulfil our contractual obligations or to answer (pre-)contractual enquiries and otherwise on the basis of the legitimate interests in answering the enquiries.

• Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms).
• Data subjects: Communication.
• Purposes of processing: Contact requests and communication.
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents to processing are revoked or other permissions cease to apply (e.g. if the purpose of the processing of this data has ceased to apply or it is not necessary for the purpose).

Unless the data is deleted because it is necessary for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or the storage of which is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

Further information on the deletion of personal data can also be provided in the individual data protection notices of this privacy policy.

We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as the changes in the data processing we carry out make it necessary. We will inform you as soon as the changes require you to cooperate (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.

As a data subject, you are entitled to various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is related to such direct advertising.
• Right of revocation in the case of consent: You have the right to revoke any consent you have given at any time.
• Right: You have the right to request confirmation as to whether the data in question is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with the legal requirements.
• Right to rectification: In accordance with the legal requirements, you have the right to request the completion of the data concerning you or the correction of the incorrect data concerning you.
• Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be deleted immediately, or alternatively to demand a restriction of the processing of the data in accordance with the legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
• Complaint to supervisory authority: You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, in accordance with the legal requirements, if you believe that the processing of personal data concerning you violates the GDPR.

Supervisory authority responsible for us:

2-4

40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-10
E-mail: poststelle@ldi.nrw.de

This section provides an overview of the terminology used in this Privacy Policy. Many of the terms are taken from the law and defined primarily in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to serve understanding. The terms are sorted alphabetically.

• Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Person in charge: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far-reaching and encompasses practically any handling of data, be it collection, evaluation, storage, transmission or deletion.