- 1 Preliminary remarks and Definitions
1.1 In what follows, we, the operators of the website www.doneberlin.com (“Website”), DONE! Berlin GmbH, registered in the commercial register of the local court (Amtsgericht) Charlottenburg under HRB 201558 B, (“DONE!”, “we”, “us”, “our”) inform about the collection of personal data in the context of the provision of our services as well as within our web offer.
1.2 Personal data is any data that can be related to you in person, e.g. name, address, e-mail address, user behaviour.
1.3 Our web offer includes the website and the functions and content associated with it as well as external online presences such as our social media profiles (hereinafter jointly referred to as “web offer”).
1.4 Visitors and users of the website and the web offer are referred to as data subjects in the following as “users”.
1.5 We refer to the definitions in Art. 4 of the General Data Protection Regulation (“GDPR”) regarding terms such as “processing” or “data controller”.
- 2 Data Controller
Responsible in the sense of the GDPR and other national data protection laws of the member states as well as other data protection-juridical regulations is:
DONE! Berlin GmbH
Amtsgericht (Local Court) Charlottenburg, HRB 201558 B
Schivelbeiner Str. 5
- 3 Data Protection Officer
You can contact our data protection officer at firstname.lastname@example.org or by post to the address stated in § 2 with the remark “Data protection legal matter” (“Datenschutzrechtliche Angelegenheit”).
- 4 General Information on Data Processing
4.1 We process any personal data of our users only to the extent necessary to provide a functioning website as well as our content and services. In accordance with Art. 13 sec. 1 GDPR, we inform you about the legal basis of our data processing.
4.2 As far as we obtain a consent from the user for processing any data the legal basis is Art. 6 sec. 1 lit. a GDPR.
4.3 For any processing data, which is necessary for the fulfilment of a contract, whereas the contracting party is the data subject, the legal basis is Art. 6 sec. 1 lit. b GDPR. This also applies to processing operations, which are necessary for the implementation of pre-contractual measures.
4.4 As far as any processing data is necessary for the fulfilment of a legal obligation to which we are subject the legal basis is Art. 6 sec. 1 lit. c GDPR.
4.5 If the processing is necessary to preserve a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the mentioned-first interest the legal basis for the processing is Art. 6 sec. 1 lit. f GDPR.
- 5 Erasure of Data and Duration of Storage
5.1 Any data of the user will be erased or their processing will be restricted in accordance with the statutory provisions.
5.3 Any data shall also be restricted or deleted if a storage period prescribed in the regulation specified in § 4 expires, unless there are mandatory legal requirements to the contrary or there is a necessity for further storage of any data for the conclusion or performance of a contract.
- 6 Provision of the Website and Log Files
6.1 Regarding the provision of our website, we automatically process any following data and information of the requesting user:
- IP Address;
- Date and time of the request;
- Time zone difference to Greenwich Mean Time (GMT);
- Content of the request (specific page );
- Access status/HTTP status code;
- Amount of data transferred in each case;
- Website, from which the request originates;
- Operating system; and
- Language and version of the browser software.
6.2 Any data is also stored in the log files of our system. These data will not be stored together with other personal data of the user.
6.3 The legal basis for the storage of data is Art. 6 sec. 1 lit. f GDPR, our legitimate interest being the technical feasibility of operating the website. For this purpose, the IP address of the user must remain stored for the duration of the session. The storage in log files takes place in order to maintain the functionality of the website. In addition, the data are used to optimise the website and to ensure the security of our information technology systems.
6.4 Any data shall be erased as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of data for providing the Website, this shall be the case when the session in question has ended. If the data are stored in log files, this is the case after 90 days at the latest. A storage going beyond this is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
- 7 Agency Services
7.1 We process any data of our customers within the scope of our contractual services. Our services include, but are not limited to the conceptual and strategic consulting, planning of campaigns, development of and consulting on design, managing of campaigns and general processes/handling, analysing of data, training, planning of administration and communication and employer and employee branding.
7.2 We may process inventory data (e.g. customer master data such as names or addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text input, photographs, videos), contract data (e.g. subject of contract, term), payment data (e.g. bank details, payment history), usage and metadata (e.g. within the scope of evaluating and measuring the success of marketing measures). We only process special categories of personal data within the meaning of Art. 9 sec. 1 GDPR if these are part of a commissioned processing.
7.3 Data subjects include our customers, interested parties as well as their customers, users, website visitors or employees and, if applicable, third parties. The purpose of the processing is the provision of contractual services, billing and the provision of our customer service. The legal basis of the processing is Art. 6 sec. 1 lit. b GDPR regarding the provision of contractual services and otherwise Art. 6 sec. 1 lit. f GDPR, our legitimate interest being the optimization of our security measures and service provision through usage analysis.
7.4 We erase any data as soon as one of the causes stated in Art. 17 sec. 1 GDPR applies. The necessity of storing the data is examined every three years; in case of legal archiving obligations (e.g. § 257 HGB, § 147 AO) erasure is carried out after their expiration. In the event of data disclosed to us within a customer order, we generally erase the data in accordance with the specifications of the order, as a rule at the end of the order.
- 8 Cookies
- Language settings
8.3 The legal basis for the processing of personal data using cookies is Art. 6 sec. 1 lit. f GDPR.
- 9 Security Measures
9.1 In accordance with Art. 32 GDPR, we undertake measures to ensure adequate technical and organisational protection. In doing so we take into account the state of technology, the implementation costs and the nature of the scope, the circumstances and the purposes of the processing as well as the differing probability of occurrence and severity of the risk to the rights and freedoms of natural persons.
9.2 Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to any data. We also ensure access to the data, their input, forwarding, availability and separation.
9.3 In addition, we have established procedures to ensure that any data subjects’ rights are exercised, that data is deleted and that we react to data threats. In accordance with the principle of data protection through technology design and data protection-friendly default settings, we furthermore take the protection of personal data into account as early as the development or selection of hardware, software and processes
- 10 E-Mail-Contact and Contact Form
10.1 You find a contact form on the website, which can be used for electronic contact. If a user makes use of this option, the data entered in the input mask (name and e-mail address) will be transmitted to us and stored.
10.3 Alternatively, you can contact us via the e-mail address provided. In this case, the data of the user transmitted with the e-mail will be stored.
10.4 Any data will not be passed on to third parties. The data will be used exclusively for the processing of the conversation.
10.5 The legal basis for the processing of any data when using the contact form is Art. 6 sec. 1 lit. f GDPR. If the e-mail contact aims at the conclusion of a contract, then additional legal basis for the processing is Art. 6 sec. 1 lit. b GDPR.
10.6 The processing of any data from the input mask of the contact form serves us exclusively for the establishment of contact. In case of contacting us by e-mail, this also constitutes the necessary legitimate interest regarding the processing of data. Other personal data processed during the sending process serve to prevent abuse of the contact form and to ensure the security of our information technology systems.
10.7 Any data will be erased as soon as they are no longer necessary to fulfil the purpose for which they were collected. With regard to any data from the input mask of the contact form and those sent by e-mail, this is the case when the conversation with the user has ended. The conversation is concluded when it can be inferred from the circumstances that the matter has been conclusively resolved.
10.8 If the user contacts us by e-mail, he can object to the storage of his/her data at any time. In this case, the conversation cannot be continued. All data stored in the process of contacting us will be erased in this case.
- 11 Google Analytics
11.2 Google will use this information on our behalf to evaluate the use of our online services by users, to compile reports on the activities within this online service and to provide us with other services associated with the use of this online service and the Internet. Pseudonymous user profiles can be created from any processed data.
11.3 Google is certified under the EU/US Privacy Shield, thereby ensuring compliance with European data protection law.
11.4 The legal basis for the use of Google Analytics is Art. 6 sec. 1 lit. f. GDPR, our legitimate interest being in the analysis, optimisation and economic operation of our web offer.
11.5 We use Google Analytics only with IP anonymization enabled. This means that Google shortens the IP address of the user within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases, will the full IP address be transmitted to and shortened by Google on servers in the United States.
11.7 Users’ data will be deleted or anonymised after 14 months.
- 12 Online Presences in Social Media
12.1 We maintain online presences on social networks and platforms in order to be able to communicate with customers, interested parties and users and to inform them about our services.
12.2 We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. because it could make it more difficult to enforce the rights of users. With regard to US providers who are certified under the Privacy Shield, we would like to emphasize that they are thus obligated to comply with EU data protection standards.
12.3 The usage profiles can be used further, e.g. to place advertisements inside and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user’s computer in which the user’s usage behaviour and interests are recorded. Furthermore, any data can also be stored in the user profiles independently of the devices utilised by the users (especially if the users are registered members of the respective platforms and logged in).
12.4 The legal basis for data processing when visiting our online presences in social media is Art. 6 sec. 1 lit. f GDPR, whereby our legitimate interest is to optimise our services and advertising and to offer users more opportunities for communication and interaction with each other and us. If the users are asked by the respective providers of the platforms for their consent to the aforementioned data processing, the legal basis of the processing is Art. 6 sec. 1 lit. a., Art. 7 GDPR.
12.5 For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the following linked information of the relevant providers.
12.6 In the case of requests for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to any data of the users and can undertake corresponding measures and give information directly. Should you require help nonetheless, you can contact us.
12.7 We maintain online presences on the following social networks:
- Instagram – Soziales Netzwerk; Dienstanbieter: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Datenschutzerklärung: http://instagram.com/about/legal/privacy.
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Soziales Netzwerk; Dienstanbieter: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland; Website: https://www.linkedin.com; Datenschutzerklärung: https://www.linkedin.com/legal/privacy-policy; Privacy Shield (Gewährleistung Datenschutzniveau bei Verarbeitung von Daten in den USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active; Widerspruchsmöglichkeit (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) based on Agreement on joint processing of personal data – Soziales Netzwerk; Dienstanbieter: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland, Mutterunternehmen: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com; Datenschutzerklärung: https://www.facebook.com/about/privacy; Privacy Shield (Gewährleistung Datenschutzniveau bei Verarbeitung von Daten in den USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active; Widerspruchsmöglichkeit (Opt-Out): Einstellungen für Werbeanzeigen: https://www.facebook.com/settings?tab=ads; Zusätzliche Hinweise zum Datenschutz: Vereinbarung über gemeinsame Verarbeitung personenbezogener Daten auf Facebook-Seiten: https://www.facebook.com/legal/terms/page_controller_addendum, Datenschutzhinweise für Facebook-Seiten: https://www.facebook.com/legal/terms/information_about_page_insights_data.
- Xing – Soziales Netzwerk; Dienstanbieter: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Deutschland; Website: https://www.xing.de; Datenschutzerklärung: https://privacy.xing.com/de/datenschutzerklaerung.
13 Your Rights
13.1 If your personal data are processed, you are a data subject in the sense of the GDPR and are entitled in particular to the following rights:
13.2 Right of access
a) You can request confirmation from the controller as to whether data relating to you is being processed by us. In the event of such processing, you may ask the controller to provide you with the following information:
aa) Purposes for which the personal data are processed;
bb) the types of personal data processed;
cc) the recipients or categories of recipients to whom the personal information about you has been or will be disclosed;
dd) the planned duration of the storage of the personal data concerning you or, if this is not possible, criteria for determining the storage duration;
ee) the existence of a right to rectify or delete personal data concerning you, a right to limit the processing by the controller or a right to object to such processing; and
ff) the existence of a right of appeal to a supervisory authority.
b) You have the right to request information as to whether the data concerning you will be transferred to a third country or to an international organisation. You may also request to be informed of the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.
13.3 Right of rectification
You have the right to have your personal data rectified and/or completed by the controller if the data processed relating to you is inaccurate or incomplete. The controller must carry out the rectification without undue delay..
13.4 Right to limitation of processing
a) You may request that the processing of data relating to you be restricted: if you dispute the veracity of the personal data concerning you for a period of time, which allows the data controller to verify the accuracy of the personal data;
aa) if the processing is unlawful and you object to the deletion of the data and instead request the restriction of the use of the personal data;
bb) if the controller no longer needs the data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
cc) if you have objected to the processing pursuant to Art. 21 sec. 1 GDPR and it has not yet been established whether the justified reasons of the data controller outweigh your reasons.
b) Where the processing of data relating to you has been restricted, such data may not be processed, with the exception of their storage, without your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State.
13.5 Right to erasure
a) You may request the data controller to erase the data relating to you without undue delay and the data controller is obliged to erase this data without undue delay if one of the following reasons applies:
aa) The data relating to you are no longer necessary for the purposes for which they were collected.
bb) You withdraw your consent on which the processing according to Art. 6 sec. 1 lit. a or Art. 9 sec. 2 lit. a GDPR was based pon and there is no other legal basis for the processing.
cc) You object, according to Art. 21 sec. 1 GDPR, against the processing and there are no prior legitimate reasons for the processing, or you insert objection against the processing according to Art. 21 sec. 2 GDPR.
dd) The data relating to you have been processed unlawfully.
ee) The erasure of data relating to you is necessary in order to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
b) If the data controller has made the personal data concerning you public and is obliged to erase them in accordance with Art. 17 para. 1 DSGVO, he shall take adequate measures to inform the person responsible for data processing that you as the data subject have requested them to erase all links to the data or copies or replications of the data. This is done taking into account the state of the art technology and implementation costs.
c) The right to erasure does not exist insofar as the processing is necessary
aa) to exercise the right to freedom of expression and information;
bb) to fulfil a legal obligation, which the requires processing under the law of the Union or of the Member States to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller; or
cc) to assert, exercise or defend legal claims.
13.6 Right to information
a) If you have exercised your right to rectify, erase or limit the processing of your data against the controller, the latter is obliged to notify all recipients to whom the data have been disclosed of this rectification, erasure or limitation of the processing, unless this proves impossible or involves a disproportionate effort.
b) You have the right, to be informed of these recipients by the data controller
13.7 Right to data portability
a) You have the right to receive the data relating to you that you have provided to the responsible person in a structured, common and machine-readable format. In addition, you have the right to communicate this data to another controller without being hindered by the controller to whom the personal data was provided, provided that
aa) the processing is based on a consent in accordance with Art. 6 sec. 1 lit. a GDPR or Art. 9 sec. 2 lit. a GDPR or on a contract in accordance with Art. 6 sec. 1 lit. b GDPR and
bb) Processing is performed using automated procedures.
b) In exercising this right, you also have the right to request that the data be transmitted directly by one data controller to another data controller, insofar as this is technically feasible. Rights of other persons must not be affected by this.
13.8 The right to data portability shall not apply to the processing of data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
13.9 Right to object
a) You have the right to object at any time, for reasons related to your particular situation, to the processing of data relating to you carried out pursuant to art. 6 sec. 1 lit. e or f GDPR.
b) The controller will no longer process the personal data relating to you unless he can prove that there are compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
13.10 Right to withdraw his or her consent
You have the right to withdraw your data protection consent at any time. The withdrawal of your consent does not affect the legality of the processing carried out based on your consent until you withdraw it.
13.11 Right to lodge a complaint with a supervisory authority
Regardless of any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State in which you reside, your place of work or the place where the alleged infringement is presumed, if you believe that the processing of your personal data is in breach of the GDPR.