Privacy Notice for the Aucos Website
I. Name and Address of the Data Controller
“Controller” within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and regulations is:
Phone: +49 (0) 241 44 66 40
II. Name and Address of the Data Protection Officer
The controller’s data protection officer is:
Prof. Dr. Dr. h.c. Frank Stein
III. General Information on Data Processing
Extent to which personal data is processed
As a general rule, we only process our users’ personal data as far as this is necessary for making available a functional website and providing our content and our services. We will only process our users’ personal data after the user has given consent to such processing. An exception applies in those cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
Legal basis for the processing of personal data
As far as we obtain the consent of the persons concerned (the “data subjects”) to processing operations of their personal data, the legal basis for such processing is Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR). For the processing of personal data that is required for the performance of a contract to which the data subject is a party, the legal basis for such processing is Art. 6(1)(b) of the GDPR. The same applies to processing operations that are necessary for taking measures that are required prior to entering into a contract.
As far as the processing of personal data is required for compliance with a legal obligation to which we are subject, the legal basis for such processing is Art. 6(1)(c) of the GDPR.
In case the processing of personal data is necessary in order to protect vital interests of the data subject or those of another natural person, such processing is based on Art. 6(1)(d) of the GDPR.
Where the processing of personal data is necessary for the purpose of safeguarding the legitimate interests of our company or that of a third party, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms, the legal basis for such processing is Art. 6(1)(f) of the GDPR.
Deletion of data and duration of storage
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage of such data no longer applies. Furthermore, personal data may be stored if this has been provided for by the European or the national legislator in European Union regulations, laws or other legal provisions to which the controller is subject. The data will also be deleted or blocked when a storage period specified in the mentioned laws and regulations expires, except where further storage of the data is necessary for the conclusion of a contract or for fulfilling a contractual obligation.
IV. Provision of the Website and Creation of Log Files
Description and extent of data processing
Each time our website is accessed, our system automatically collects data and information of the accessing computer system.
In this context, the following data is collected:
- Website that is visited
- Time the access takes place
- Amount of data sent in bytes
- Source/link from which the website is accessed
- Browser used to visit the website
- Operating system used
- IP address used
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
Legal basis of data processing
The legal basis for the temporary storage of data and the log files is Art. 6(1)(f) of the GDPR.
Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be made available on the computer of the user. For this purpose, the IP address of the user must be stored for the duration of the session.
The purpose of the storage of in log files is to ensure proper functioning of the website. Moreover, we use this data to optimise our website and to ensure the security of our IT systems. In this context, the data will not be evaluated for marketing purposes.
The mentioned purposes constitute our legitimate interest in data processing, as referred to in Art. 6(1)(f) of the GDPR.
Duration of storage
The data will be deleted as soon as its storage is no longer necessary to achieve the intended purpose of its collection. As far as the collection of data for the purpose of making the website available concerned, this is the case as soon as the corresponding session is terminated.
As far as the storage of data in log files is concerned, this is the case after a maximum period of 90 days. Storage beyond these limits is possible. In this case, the IP addresses of the users will be deleted or altered, so that they can no longer be attributed to the accessing client.
Possibility of objection and removal
The collecting of the data for making the website available and storage of the data in log files is essential for the purpose of operating our website. For this reason, the user cannot object to such collecting and storing of data.
a) Description and extent of data processing
We use these cookies to make our website more user-friendly Some elements of our website make it necessary that the accessing browser can still be identified after another website has been visited.
In the cookies, the following information is stored and transmitted:
(1) Language settings
(2) Status information on the cookie alert
(3) Log-in information
b) Legal basis of data processing
The legal basis for the processing of personal data using cookies is Art. 6(1)(f) of the GDPR.
c) Purpose of data processing
Cookies that are technically necessary are employed for the purpose of making the use of the website more convenient for the user. Some functions of our website will not work without cookies being used. For these functions, it is necessary that the browser will still be identified after another website has been visited.
Cookies are needed for the following functions:
(1) Acceptance of language settings
(2) Control of the display of the cookie alert
(3) Statistical analysis on the use of our website by means of Google Analytics
User data collected by technically necessary cookies will not be used to create user profiles.
The mentioned purposes constitute our legitimate interest in the processing of personal data, as referred to in Art. 6(1)(f) of the GDPR.
d) Duration of storage, possibility of objection and removal
VI. Rights of the Person Concerned (“Data Subject”)
Insofar as we process your personal data, you are a data subject within the meaning of the GDPR, which gives you the following rights vis-a-vis us (the “data controller”):
Right to information (GDPR: “right of access by the data subject”)
You have the right to obtain confirmation from the data controller as to whether or not personal data concerning you is being processed.
Where that is the case, you are entitled to obtain the following information from the controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
(4) the envisaged period for which the personal data concerning you will be stored, or, if exact periods cannot be given, the criteria used to determine that period;
(5) the existence of the right to request rectification or deletion of personal data concerning you, the right to restrict processing by the data controller, or the right to object to such processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) where the personal data is not collected from the data subject him/herself, any available information as to the source of the data;
(8) the existence of automated decision-making, including profiling (as referred to in Art. 22(1) and (4) of the GDPR) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you as the data subject.
You have the right to be informed on whether or not your personal data is transferred to a third country or to an international organisation. In this context, you are entitled to be informed of the appropriate safeguards regarding the data transfer pursuant to Art. 46 of the GDPR.
Right to rectification
In case your personal data is inaccurate or incomplete, you are entitled to obtain rectification and/or completion of the data from the controller. In such case, the controller must correct the data without undue delay.
Right to restriction of processing
You have the right to demand restriction of processing of personal data concerning you if one of the following applies:
(1) if you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful, and you decline erasure of your personal data, requesting restriction of its use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need such data to assert, exercise or defend legal claims;
(4) if you have objected to processing pursuant to Art. 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interests of the Union or a Member State. If the processing of your personal data has been restricted due to one of the above-mentioned circumstances, you will be informed before the restriction of processing is lifted.
Right to erasure
You have the right to request the controller to delete your personal data without undue delay, in which case the controller will be obliged to delete this data without undue delay if one of the following reasons applies:
(1) the personal data concerning you is no longer necessary for the purposes for which it has been collected or otherwise processed;
(2) you withdraw your consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal basis for the processing;
(3) you object to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) of the GDPR;
(4) the personal data concerning you has been unlawfully processed;
(5) the personal data concerning you has to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
(6) your personal data has been collected in relation to offered services of the information society referred to in Art. 8(1) of the GDPR.
Information to third parties (right to be forgotten)
If the controller has made public the personal data concerning you and is obliged, pursuant to Art. 17(1) of the GDPR, to delete the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, this personal data.
The right to erasure does not exist if the data processing is required
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing in accordance with Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) of the GDPR);
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) of the GDPR insofar as the right referred to under (a) is likely to render impossible or seriously impair the achievement of the objectives of such processing;
(5) for the establishment, exercise or defence of legal claims.
Right to be notified
Once you have exercised your right to rectification, erasure or restriction of processing vis-a-vis the controller, the latter is obliged to communicate such rectification or erasure of personal data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request the controller to be informed about those recipients.
Right to data portability
You have the right to receive the personal data concerning you which you have made available to the controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another data controller without hindrance from the controller to which your personal data has been made available, if
(1) the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2) (a) of the GDPR or on a contract pursuant to Art. 6(1)(b); and
(2) processing is carried out by automated means.
In exercising this right, you can also demand that the personal data concerning you be transmitted directly from one controller to another controller, if this is technically feasible. However, this must not adversely affect the freedoms and rights of other persons.
The right to data portability shall not apply to the processing of data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to revoke your consent to data processing
You have the right to withdraw your consent to processing at any time. The withdrawal of consent will not affect the lawfulness of the processing that was based on the consent before it was revoked.
Automated decision-making in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar manner. This does not apply if the decision
(1) is necessary for the purpose of entering into or performing a contract between you and the controller;
(2) is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms as well as your legitimate interests; or
(3) is based on your explicit consent.
However, such decisions shall not be based on special categories of personal data as referred to in Art. 9(1) of the GDPR, unless point (a) or (g) of Art. 9(2) applies and suitable measures to safeguard your rights and freedoms as well as your legitimate interests are in place.
In the cases referred to under (1) and (3), the controller will implement suitable measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain human intervention on the part of the controller, the right to express your point of view and the right to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority with which a complaint has been lodged will inform the complainant about the progress of the complaint and its outcome, including the possibility of a judicial remedy in accordance with Art. 78 of the GDPR.
VII. Right to object
You are entitled to object, for reasons relating to your particular situation, at any time to the processing of the personal data concerning you which is based on Art. 6(1)(e) or (f) of the GDPR, including profiling based on these provisions.
In this case, the controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is necessary to assert, exercise or defend legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you can object at any time to the processing of your personal data for the purposes of such marketing; this shall also apply to profiling insofar as it is related to such direct marketing.
If you object to the processing that is made for purposes of direct marketing, the personal data concerning you will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. There are no formal requirements for making an objection, which should be addressed, if possible, to the controller’s e-mail address given above.
VIII. Analysis tools and advertising
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called cookies. Cookies are text files, which are stored on your computer and that enable an analysis of the use of the website by users. The information generated by cookies on your use of this website is usually transferred to a Google server in the United States, where it is stored.
The storage of Google Analytics cookies and the utilization of this analysis tool are based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in the analysis of user patterns to optimize both, the services offered online and the operator’s advertising activities.
On this website, we have activated the IP anonymization function. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this website, Google shall use this information to analyse your use of this website to generate reports on website activities and to render other services to the operator of this website that are related to the use of the website and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.
You do have the option to prevent the archiving of cookies by making pertinent changes to the settings of your browser software. However, we have to point out that in this case you may not be able to use all of the functions of this website to their fullest extent. Moreover, you have the option prevent the recording of the data generated by the cookie and affiliated with your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objection to the recording of data
You have the option to prevent the recording of your data by Google Analytics by clicking on the following link. This will result in the placement of an opt out cookie, which prevents the recording of your data during future visits to this website: Google Analytics deactivation.
For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.
Contract data processing
We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.
Demographic parameters provided by Google Analytics
This website uses the function “demographic parameters” provided by Google Analytics. It makes it possible to generate reports providing information on the age, gender and interests of website visitors. The sources of this information are interest-related advertising by Google as well as visitor data obtained from third party providers. This data cannot be allocated to a specific individual. You have the option to deactivate this function at any time by making pertinent settings changes for advertising in your Google account or you can generally prohibit the recording of your data by Google Analytics as explained in section “Objection to the recording of data.”