Privacy statement for waitro.org
As data protection and security are some of our top priorities, we would like to provide you with extensive information as to how we will process your personal data. Your data will remain your property. Our systems are subject to regular security audits and are constantly being developed.
The aim of this privacy statement is to inform you about the personal data that will be processed when you visit our website and use the members’ area, and the rights you have with regard to your data.
The applicable legislation states that personal data must be processed lawfully, fairly and transparently for data subjects (“lawfulness, fairness and transparency”). To ensure this, we would like to inform you about the terms defined in the European General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG), which are also used in this privacy statement.
1.1 Personal data
“Personal data” means any information related to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transfer, dissemination or other means, alignment, combination, restriction, erasure or destruction.
1.3 Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim of limiting its processing in the future.
“Profiling” means any form of automated data processing used to evaluate certain personal aspects related to a natural person, particularly to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
1.6 Filing system
“Filing system” means any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient” means a natural or legal person, public authority, agency or another body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data as part of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
1.10 Third party
“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Who is responsible for data processing at waitro.org?
The following party is responsible for data protection issues:
Waitro Office Germany
c/o Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V.
Fraunhofer-Institutszentrum Schloss Birlinghoven IZB
Schloss Birlinghoven 1
53757 Sankt Augustin
3. Who can answer any questions I might have about data protection?
If you have any questions about data protection, please contact our data protection officer.
Our data protection officer can be contacted by post at the address indicated above (FAO “Data Protection Officer”) or via email (email@example.com).
4. General information about data processing on our website
We would like to inform you below about the personal data that will be collected when you use our website. Some of the personal data may include your name, address, email address or user behavior.
If you get in touch with us by email or via a contact form, we will save the information you provide (e.g. your email address, first name, surname and perhaps your gender and title) to respond to your questions. We will delete any data obtained in this manner as soon as it no longer has to be stored, or we will restrict processing if such erasure is prevented by our statutory retention obligations. We will not perform any “automated individual decision-making”, as described in Art. 22 GDPR; in particular, we will not carry out any profiling.
If you use our website for purely informational purposes (i.e. if you do not register or do not provide us with information in any other way), we will collect the personal data that your browser transmits to our server. If you view our website, we will collect the data listed below; this is technically necessary to display our website and to guarantee stability and security:
– Your IP address;
– The date and time of your request;
– The difference between your time zone and Greenwich Mean Time (GMT);
– The content of your request (specific page);
– The access status / HTTP status code;
– The volume of data transmitted;
– The website from which your request comes;
– Your browser;
– Your operating system and its interface; and
– The language and version of your browser software
The legal basis for the processing of this data is point (f) of Art. 6 (1) GDPR. We have a legitimate interest in maintaining the stability and security of our website.
In addition to the data listed above, cookies will be saved on your computer when you use our website. A cookie is a small text file that is saved on your device to enable certain information to be obtained by the entity that places it. Cookies cannot run any programs or transmit viruses to your computer. They help to improve the overall user-friendliness and efficiency of our website.
5.1 Necessary Cookies
We are entitled to use such cookies in accordance with point (f) of Art. 6 (1) GDPR, as we have a legitimate interest in ensuring a functional website that is displayed correctly.
5.2 Tracking cookies to control advertising campaigns and measure website audience data
When you visit our website for the first time, we will ask for your explicit consent for cookies to be used for the purposes specified above. The legal basis for this form of data processing is point (f) of Art. 6 (1) GDPR.
5.3 Cookie settings
Our website can also be visited without cookies. If you would like to conveniently use all features of our website, however, you should enable cookies. Most browsers are set to enable cookies by default. However, you can configure your browser to display cookies before they are saved, to enable or disable certain cookies, or to reject all cookies. If you change your settings, please note that the changes will only apply to the browser in which they are made. If you use different browsers or change your device, you will have to change your settings again. You can also delete cookies from your storage disk at any time. You can find more information about your cookie settings and deleting cookies in your browser’s help section.
5.4 Google Analytics
As we use Google Analytics with IP anonymization, however, your IP address will first be truncated in the member states of the European Union or the European Economic Area. Your full IP address will only be first transmitted to a Google server in the United States and then truncated there in exceptional cases. Google will use this information on behalf of the website provider to analyze your use of the website by creating reports on website activities for website operators and providing other services related to the use of websites and the Internet. The IP address transmitted by your browser via Google Analytics will not be combined with any other data held by Google.
Your personal data will only be transmitted to a server in the USA with your consent. If you accept the cookie, you will explicitly consent to the transfer of your personal data to the USA in accordance with point (a) of Art. 49 (1) GDPR.
Please note that the European Court of Justice (ECJ) has classified the USA as an unsafe third country for which no adequacy decision has been issued and which does not ensure appropriate safeguards for you to exercise your rights. The level of data protection in the USA is not the same as the level ensured within the EU. Whenever cookies are used to transmit data to the USA, there is subsequently a certain degree of risk involved. In particular, we cannot assure that your personal data will not be accessed and processed by state (monitoring) authorities – and there may be a lack of effective legal remedies. The legal basis for processing is point (a) of Art. 6 (1) GDPR and point (a) of Art. 49 (1) GDPR.
You can prevent Google Analytics from tracking your activities in future by downloading and installing the Google Analytics opt-out add-on for your current browser (click here: https://tools.google.com/dlpage/gaoptout?hl=en-GB.). In addition, you can always withdraw your consent with future effect by configuring your cookie settings or rejecting all cookies.
6. Social media links
Our website features links to various social media platforms (e.g. Facebook, Instagram, LinkedIn, Twitter, YouTube). These are not social media plug-ins that cause data to be transmitted to the respective operator; they are simply hyperlinks. If you click on one of the links, you will be redirected to the respective website provider; your IP address will be transmitted. If you are logged in to your account with the social media provider when you click on a link, additional data may be collected by the respective provider.
7. Integration of YouTube videos
This website features YouTube videos. YouTube is a service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). If you click on a YouTube video, a connection will be established to the provider’s servers. As the videos are embedded in “Privacy Enhanced Mode”, the provider states that your user information will only be saved when you play a video. When you start a video, YouTube will set a cookie to collect information on your user behavior.
If you have enabled the relevant cookie, a connection to Google’s “DoubleClick” network may be established regardless of whether you play an embedded video, and your user behavior may be analyzed as a result.
Your personal data will only be transmitted to a server in the USA with your consent. If you accept the cookie, you will explicitly consent to the transfer of your personal data to the USA in accordance with point (a) of Art. 49 (1) GDPR. Please note that the European Court of Justice (ECJ) has classified the USA as an unsafe third country for which no adequacy decision has been issued and which does not ensure appropriate safeguards for you to exercise your rights. The level of data protection in the USA is not the same as the level ensured within the EU. Whenever cookies are used to transmit data to the USA, there is subsequently a certain degree of risk involved. In particular, we cannot assure that your personal data will not be accessed and processed by state (monitoring) authorities – and there may be a lack of effective legal remedies. The legal basis for processing is point (a) of Art. 6 (1) GDPR and point (a) of Art. 49 (1) GDPR.
If you give your consent, you can subscribe to our newsletter so that we can inform you about our latest events and offers that may be of interest to you.
We use the so-called “double opt-in” process for subscriptions to our newsletter. In other words, once you have subscribed, we will send you an email for you to confirm whether you would like to receive the newsletter. If you do not confirm your subscription within 24 hours, your information will be blocked and automatically deleted after one month. We will also save your IP addresses and the time you subscribe and confirm your subscription. The purpose of this process is to prove you have subscribed to our newsletter and shed light on the possible misuse of your personal data.
If you wish to receive our newsletter, you must provide your email address, first name and last name. If you voluntarily provide additional data, which is marked separately, we will use this information to address you personally. Once you have confirmed your subscription, we will save your email address for the purpose of sending you the newsletter. The legal basis for this is point (f) of Art. 6 (1) GDPR.
You may always withdraw your consent to the newsletter and unsubscribe at any time. You can withdraw your consent by clicking on the link provided in each newsletter, by completing this form on the website, by sending an email to firstname.lastname@example.org or by sending a message to the contact indicated in our legal notice.
9. Registering to apply for WAITRO membership
If you would like to register for become a Member, you must provide your personal data to conclude a user agreement. The required fields are marked separately; all other information is optional. The following information is mandatory:
- Your first and last name;
- Your address;
- Your email address; and
We will use the data provided for the sole purpose of administering your membership. The legal basis for the processing of your personal data is point (b) of Art. 6 (1) GDPR.
The data you provide will be stored until you withdraw your consent. We will delete your data immediately if you terminate the WAITRO-Membership, unless this is prevented by our statutory retention obligations.
TLS encryption will always be used to prevent your personal data (especially your financial information) from being accessed by unauthorized third parties.
10. How long will my personal data be stored?
We will store any personal data required to perform contracts with you for the duration of our contractual relationship. We will only continue to store your data after this period if this is necessary to comply with our statutory retention obligations.
Any other data that you provide to us voluntarily will be erased when you delete your user account or withdraw your consent to data processing.
11. Will my personal data be disclosed to third parties?
As a general rule, we will not disclose your data to third parties without your explicit consent.
As a modern company, however, we may work with processors to offer you the best possible service without any interruptions. We would like to inform you about how and when we will disclose your personal data to our external partners.
Whenever we work with external service providers, data processing is performed on the basis of Art. 28 GDPR. For this purpose, we conclude the necessary agreements with our partners to ensure data protection. Your data will be processed exclusively by service providers who have been carefully selected by us, who are bound to our instructions and who are regularly audited by us. We only commission external service providers who can ensure that all data processing operations will be carried out in accordance with the relevant data protection regulations.
Your personal data may be sent to the following categories of recipients:
Newsletter service providers, hosting service providers
12. What are my rights with regard to my personal data?
In this section, we would like to tell you about your rights with regard to your personal data.
12.1 Right to withdraw consent
If your personal data is being processed on the basis of your consent, you have the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the legality of any data processing carried out on the basis of your consent before it was withdrawn.
If you would like to exercise your right to withdraw your consent, please do not hesitate to contact us.
12.2 Right to confirmation
You have the right to ask us to confirm whether we are processing your personal data. If you would like to request such a confirmation, please refer to the contact details above.
12.3 Right of access
If your personal data is being processed, you may always request access to your personal data and the following information:
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients to whom personal data has been disclosed or will be disclosed, particularly recipients in third countries or international organizations;
- If possible, the period for which your personal data will be stored or, if this is not possible, the criteria used to determine this period;
- The right to request the rectification or erasure of your personal data or the restriction of our data processing, or the right to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- If your personal data has not been collected directly from you, any available information as to its source;
- The possible use of automated decision-making, including profiling, as described in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you;
If your personal data is being transferred to a third country or international organization, you have the right to be informed about the appropriate safeguards established for such transfers in accordance with Art. 46 GDPR. We must provide one copy of the personal data undergoing processing. If you request any additional copies, we may charge a reasonable fee to cover our administrative expenses. If you make your request by electronic means, and unless otherwise requested, the information will be made available in a commonly used electronic format. The right to obtain a copy referred to in paragraph 3 must not adversely affect the rights and freedoms of others.
12.4 Right to rectification
You may ask us to rectify any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you may request the supplementation of any incomplete personal data, including by means of a supplementary statement.
12.5 Right to erasure (“right to be forgotten”)
You may ask us to erase your personal data without undue delay; we must then immediately erase your personal data, provided one of the following grounds applies:
- Your personal data is no longer required for the purposes for which it was collected or otherwise processed;
- You withdraw your consent on which the processing is based according to point (a) of Art. 6 (1) GDPR or point (a) of Art. 9 (2) GDPR, and there are no other legal grounds for the processing;
- You object to processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate grounds for processing, or you object to processing in accordance with Art. 21 (2) GDPR;
- Your personal data has been unlawfully processed;
- Your personal data has to be erased to comply with a legal obligation under European Union law or the laws of an EU member state to which we are subject;
- Your personal data has been collected in relation to the services provided by information societies described in Art. 8 (1) GDPR.
If we have made your personal data public and are obliged to erase it in accordance with Art. 17 (1) GDPR, we will consider the available technology and implementation costs and take reasonable steps, including technical measures, to inform any controllers processing the personal data that you have requested the erasure of all links to such personal data and the destruction of any copies and replications thereof.
You will not have a right to erasure (“right to be forgotten”) if processing is necessary…
- … to exercise the right of freedom of expression and information;
- … to comply with a legal obligation which requires processing under Union or Member State law to which we are subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in us;
- … for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 (2) GDPR and Art. 9 (3) GDPR;
- … for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, provided the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- … to establish, exercise or defend legal claims.
12.6 Right to the restriction of processing
You have the right to request the restriction of processing if any of the following requirements are met:
- You dispute the accuracy of your personal data; processing will then be restricted for a period enabling us to verify the accuracy of your personal data;
- The processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead;
- We no longer need your personal data for the purposes of the processing, but you require the data to establish, exercise or defend legal claims; or
- You have objected to processing in accordance with Art. 21 (1) GDPR pending verification as to whether our legitimate interests override your own.
If the processing of your personal data has been restricted in accordance with the above requirements, your personal data will only be processed (with the exception of storage) with your consent or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State.
If you would like to exercise your right to the restriction of data processing, please do not hesitate to contact us by referring to the contact details above.
12.7 Right to data portability
You have the right to receive any personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided:
- The processing is based on consent pursuant to point (a) of Art. 6 (1) GDPR or point (a) of Art. 9 (2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR; and
- The processing is carried out by automated means.
In exercising your right to data portability pursuant to paragraph 1, you may have your personal data transmitted directly from one controller to another, provided this is technically feasible. If you exercise your right to data portability, this will have no bearing on your right to erasure (“right to be forgotten”). That right does not apply to any processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
12.8 Right to object
You may always object, on grounds relating to your particular situation, to the processing of your personal data based on point (e) or (f) of Art. 6 (1) GDPR, including any profiling based on those provisions. We will then no longer process your personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or unless your personal data is being processed for the establishment, exercise or defense of legal claims.
If your personal data is being processed for direct marketing purposes, you may always object to the processing of your personal data for such marketing, including any profiling related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
Notwithstanding the provisions set forth in Directive 2002/58/EC, you may exercise your right to object by automated means through information society services that use technical specifications.
If your personal data is being processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, you have the right to object to the processing of your personal data, on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.
If you wish to exercise your right to object, please do not hesitate to contact us.
If you file an objection, please note that you will no longer be able to use our app.
12.9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling that may produce legal effects concerning you or may adversely affect you in a similarly significant way. This shall not apply if the decision-making…
- … is necessary for the conclusion or performance of a contract between you and us;
- … is authorized by Union law or the Member State legislation to which we are subject and which also lays down suitable measures for the safeguarding of the rights, freedoms and legitimate interests of data subjects; or
- … is based on your explicit consent.
We will take appropriate measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
If you wish to exercise this right, please do not hesitate to contact us.
12.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial legal remedies, you also have the right to lodge a complaint with a supervisory authority – in particular in the member state of your habitual residence, place of work or place of the alleged infringement – if you believe your personal data is being processed unlawfully.
12.11 Right to effective judicial remedy
Without prejudice to any other administrative or j