Protecting your privacy and your personal data is important to us. Therefore, we wish to describe the contact options and ways of obtaining and processing personal data relating to data subjects as simply and accurately as possible.

Firstly, we list the details of the options for contacting our data protection officer and options for making contact in encrypted form. After that, we introduce you to the legal and technical terms that are used throughout this privacy policy. That is followed by an overview of the rights of the data subject and then information about the controller. Finally, we provide information on the technologies and services employed as well as our use thereof.

1 Contacting our data protection officer

If you have any questions or require information, you can contact our external data protection officer at any time. The contact details are as follows:

Oliver Offenburger, MSc

E-mail: dataprotection@meta-e2f.eu

eye-i4 GmbH
Data Protection Dept.
Mönchweilerstr. 12
78048 Villingen-Schwenningen
Germany

Tel. +49 (0)7721 69724-00
Fax +49 (0)7721 69724-01
Web: https://eye-i4.de

We prefer contact via e-mail. However, you are welcome to contact our data protection officer by post or by telephone. If you wish to encrypt your e-mail to our data protection officer, then we recommend that you read the following section.

Guidelines for enquiries:

When sending an enquiry per e-mail within regular business hours, we will confirm receipt of your message on the same day. If you do not receive such confirmation, please contact us by telephone.

When sending an enquiry per post, we will post confirmation of receipt of your message on the day that we receive your enquiry, at the latest on the next day. If you do not receive such confirmation, please contact us by telephone.

If you wish to make an enquiry by telephone, we would ask you to contact our data protection partner, eye-i4 GmbH, directly by telephone.

1.1 Encryption of e-mails to our data protection officer

We prefer an encrypted transmission via e-mail. Therefore, to safeguard confidentiality and integrity, we would ask you to send your enquiries to our data protection officer in encrypted form.

We use PGP for encryption. Information (in German) about free usage options and installation can be found on the website of our data protection partner; please go to

https://eye-i4.de/blog-kostenlose-pgp-verschluesselung.html.

For information in English please go to, for example, https://www.openpgp.org/software/.

You can download our PGP key from the following link: PGP-Key

If you require fingerprint verification, please contact our data protection partner, eye-i4 GmbH, by telephone.

Should you have any further questions regarding encryption, please contact our data protection officer.

2 Legal terms

Before we describe legal matters in this privacy policy, we would like to explain the relevant terms.

2.1 EU-GDPR (or just ‘GDPR’)

EU-GDPR (hereinafter called ‘GDPR’) is the General Data Protection Regulation of the European Union. This is a principal regulation of the European Union which regulates how personal data may be processed. The English version of the GDPR can be viewed and downloaded here:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

2.2 Controller

‘Controller’ means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for nomination of the controller may be provided for by EU or Member State law.

2.3 Personal data and data subject

‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter called ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4 Processing

‘Processing’ means any operation or set of operations that is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.5 Restriction of processing

‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.

2.6 Processor

‘Processor’ means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

2.7 Recipient

‘Recipient’ means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data within the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients. The processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. 3

2.8 Third party

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

2.9 Consent

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.10 Personal data breach

‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data that are transmitted, stored or otherwise processed.

2.11 Data concerning health

‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status.

2.12 Enterprise

‘Enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

2.13 Supervisory authority

‘Supervisory authority’ means an independent public authority that is established by a Member State pursuant to GDPR Art. 51.

2.14 Relevant and reasoned objection

‘Relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of the GDPR, or whether envisaged action in relation to the controller or processor complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the EU.

3 Technical terms

Before we describe technical matters in this privacy policy, we would like to explain the relevant terms.

3.1 Filing system

‘Filing system’ means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

3.2 Cookies

Cookies are text files that are saved by a website on your terminal by way of your browser. These text files might be intended for realising technical features such as a shopping cart function but also to identify your behaviour as a visitor. To do this, the text files can be provided with identification attributes and additional information.

The browser installed on your terminal includes options for preventing the saving of cookies. The deactivation of cookies might lead to some technical limitations when using the website. 4

3.3 Server logs

Server logs are log files that are compiled by the web server and record access to a website. Considerable information can be collected in a log entry, e.g. time of access, type of browser, IP address of visitor, etc.

3.4 Referrer

The referrer designates the website from which the visitor has gained access to the website of the controller. Information about, for example, the referrer, can be obtained from the server logs.

4 Rights of the data subject

The rights of the data subjects are specified in the GDPR and the respective national legislation on data protection. If you wish to exercise your rights, we would ask you to contact our data protection officer using one of the methods described at the start of this privacy policy. In the following, we point out your rights as specified in the GDPR, chapter 3 in particular.

4.1 Information obligation

The data subject has a right to obtain information about the personal data on the data subject which are held if the data were collected from the data subject or if the data were not collected from the data subject. This is regulated in GDPR chapter 3, Art. 13 and Art. 14.

4.2 Right of access

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information according to GDPR Art. 15.

4.3 Right to rectification

The data subject shall have the right to demand that the controller rectify inaccurate personal data concerning the data subject without undue delay.

Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.4 Right to erasure

The data subject shall have the right to demand that the controller erase personal data concerning the data subject without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds according to GDPR Art. 17 applies.

4.5 Right to restriction of processing

The data subject shall have the right to demand that the controller restrict processing where one of the conditions of GDPR Art. 18 applies.

4.6 Notification obligation

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR Art. 16, Art. 17(1) and Art. 18 to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort.

The controller shall inform the data subject about those recipients if the data subject requests it.

4.7 Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the 5

right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

4.8 Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on GDPR Art. 6, 1(e) or 1(f), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or such processing serves for the establishment, exercise or defence of legal claims.

4.9 Right to lodge a complaint with a supervisory authority

According to GDPR Art. 77, you have the right to lodge a complaint with a supervisory authority. As a rule, to do this, you can contact the supervisory authority of your habitual residence or place of work or the location of the controller.

The supervisory authority responsible in our case is as follows:

Landesbeauftragte für den Datenschutz und die Informationsfreiheit, Stuttgart

5 Details of controller

The controller is listed below according to GDPR Art. 24:

META E²F Operations GmbH & Co. KG
Steinkirchring 74
78056 Villingen-Schwenningen
Germany

Further information about the controller can be found in the Legal Notice.

6 Web technologies employed

6.1 Encryption of data transmission

We use the SSL (secure socket layer) protocol to encrypt the transmission of and enquiries about data on our website. Apart from that, we make use of suitable technical and organisational security measures in order to protect your data against random or premeditated manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continually improved in line with technological developments.

6.2 Server logs

When using our website merely to obtain information, i.e. when you do not register with us or transmit information to us in any other way, we collect only the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which we require technically in order to display our website to you and guarantee stability and security (GDPR Art. 6, 1(f) is the legal basis for this):

  • anonymised IP address,
  • date and time of the enquiry,
  • difference between your time zone and Greenwich Mean Time (GMT),
  • details of request (specific page),
  • access status/HTTP status code,
  • quantity of data transmitted in each case,
  • the website from which the request originated (referrer),
  • browser,
  • operating system and its GUI,
  • language and version of the browser software.

6.3 Cookies

To protect your personal data, we have removed all cookies.

7 Duration of storage

Unless explicitly specified, we save personal data only for the time necessary to complete the intended purpose or to fulfil the order or assignment. In some cases, e.g. tax or commercial law, legislators prescribe the retention of personal data. In these cases the data continue to be stored by us for these statutory purposes only, but are not processed in any other way and are deleted upon expiry of the statutory period of retention.

8 Transmission to third parties

Your personal data are not transmitted to third parties for purposes other than those given below. We transmit your personal data to third parties only:

  • if you have given your express consent according to GDPR Art. 6, 1(a),
  • if the transmission is necessary according to GDPR Art. 6, 1(f) for establishing, exercising or defending legal claims and there are no grounds to assume that you have an overriding security interest that prevents the transmission of your data to third parties,
  • for the case that the transmission is necessary in order to comply with a legal obligation according to GDPR Art. 6, 1(c), and
  • if transmission is legally permissible and necessary for the performance of a contract to which the data subject is party according to GDPR Art. 6, 1(b).