art photonics GmbH
Rudower Chaussee 46
E-mail address: firstname.lastname@example.org
CEO: Dr. Viacheslav Artyushenko
Link to the site’s imprint: https://artphotonics.com/imprint
Contact information of the data protection officer: email@example.com
Types of Processed Data:
● inventory data (e.g. name, address)
● contact data (e.g. e-mail address, telephone number)
● content data (e.g. text input, photographs, videos)
● usage data (e.g. visited websites, content interests, access data)
● meta/communication data (e.g. device information, IP-address)
Categories of Persons Affected
Visitors and users of our online content (hereinafter the umbrella term „users“ will be used to refer to all persons affected).
Purpose of Data Processing
● making available our website, including its content and the services offered there
● responding to contact requests and communicating with users
● security measures
● range measurement/marketing
“Personal data“ includes all information that relates to an identified or identifiable natural person (hereinafter: “person affected”); a natural person is considered identifiable if it is possible to identify them, directly or indirectly, via attribution to an identifier such as a name, an ID number, location data, an online-identifier (e.g. cookie) or one or more distinctive features that are an expression of the person’s physical, physiological, genetic, psychological, economical, cultural or social identity.
“Processing” includes every task or set of operations, performed with or without the help of automated methods, in which personal data are being processed. The term includes nearly every process in which data are being handled.
“Pseudonymization” is the processing of personal data in such a way that personal data can no longer be attributed to a single person without consulting additional data, presuming that additional information is stored separately and is subject to technical and organizational measures that guarantee that personal data cannot be alloted to an identified or identifiable natural person.
„Profiling“ denotes any type of automated processing of personal data in which those personal data are being used to evaluate certain personal aspects that relate to a natural person, in particular to analyze or predict their work performance, economic standing, health, preferences, interests, reliability, behavior, place of residence or a change of locality.
The “responsible party” denotes the natural or legal person, agency, institution, or authority that determines, either by themselves or with the help of third parties, the purpose and means of processing personal data.
The “data processor” is a natural or legal person, agency, institution, or authority that processes personal data on behalf of the responsible party.
Relevant Legal Bases
Per Art. 32 GDPR, we take appropriate technological and organizational measures to ensure an appropriate level of protection, taking into account current technological standards, implementation costs and the type, scope, circumstances and purposes of processing data, as well as the various probabilities of occurrence and severity of the risks to the rights and freedoms of natural persons.
In particular, those measures include securing the confidentiality, integrity and availability of data by controlling the physical entrance to data, as well as its access, input, and transfer, as well as securing its availability and its separation.
Furthermore, we have established procedures to guarantee that persons affected can exercise their rights, that data will be deleted and that there are protocols of action in place should data be compromised. Additionally, the security of personal data is taken into account in the development or selection of hardware, software, as well as procedures, according to the principles of data protection via design of technology and privacy-friendly default settings (Art. 25 GDPR).
Collaboration with Data Processors and Third Parties
Provided we disclose, transmit or enable access in any way to outside individuals or companies (data processors or third parties ), we will only do so if there is legal authorization (for example, should the transfer of data to third parties, like payment service providers, be necessary for a fulfilment of contract, per Art. 6 Para. 1 lit. b GDPR), if you have given your consent, if there is a legal obligation, or to protect the company’s legitimate interests (for example, deployment of representatives, web hosting services, etc.).
Provided we commission third parties to process data on the basis of a so-called “order processing contract” (“Auftragsverarbeitungsvertrag”), we will do so on the legal basis of Art. 28 GDPR.
Transferring Data to Third Countries
Processing of data in third countries (meaning countries outside the European Union (EU) or the European Economic Area (EEA)) by us or by third parties whose services we utilize, or disclosing data to third parties, will only occur as long as it is necessary for the fulfilment of our contractual obligations, you have given your consent, there is a legal obligation, or to protect the company’s legitimate interests. Data will only be processed in a third country as long as the special requirements of Art. 44 et seq. GDPR are applicable, except when otherwise stipulated by legal or contractual authorization. That is to say, a processing occurs, e.g. on the basis of special guarantees, such as the officially approved ascertainment of a data protection level in correspondence with EU norms (for example, the “Privacy Shield” in the case of the U.S.) or with respect to officially approved special contractual obligations (so called “standard contractual clauses”).
Legal Rights of Persons Affected
Persons affected have the right to request a confirmation stating whether pertinent data is being processed, information on the processed data, as well as further information on the nature of the data and copies of the data per Art. 15 GDPR.
Per Art. 16 GDPR, you have the right to request the completion and correction of incorrect or incomplete data pertinent to your person.
Per Art. 17 GDPR, you have the right to request data concerning your person to be deleted immediately, or alternatively, if further processing is necessary, to restrict this processing per Art. 18 GDPR.
You have the right to request that we transmit to you or other providers/controllers the data concerning your person that you have provided us, in accordance with Art. 20 GDPR.
Further, you have the right to file complaints with the supervisory authority, per Art. 77 GDPR.
Right of Revocation
You have the right to revoke with effect for the future your given approval, per Art. 7 Para. 3 GDPR.
Right of Objection
You have the right to object at any time to future processing of data concerning your person per Art. 21 GDPR. This objection can particularly be made regarding any processing of data for the purpose of direct advertising.
Cookies and the Right of Objection in the case of Direct Advertising
The term “cookies” denotes small data files that are stored on a user’s computer. Cookies can save different types of information. Primarily, a cookie is used to save information concerning the user (or the computer on which the cookie is saved) during or after a visit on a website. A temporary cookie, or rather “session cookie” or “transient cookies”, is deleted after a user leaves a website and closes the browser window. Such a cookie can, for example, be used to save the logged in status or the content of a shopping cart in an online-shop. A “permanent” or “persistent” cookie will remain on the computer after the browser window has been closed. This way, the login status can be saved, even when users return to a website after several days. Further, such a cookie can be used to save preferences and interests of the user, which can be used for range measurement and marketing purposes. A “third party cookie” is made available by other providers and not by the responsible party and controller of the website (in this case, one would refer to them as “first party cookies”).
We are allowed to utilize temporary and permanent cookies and will inform you within this policy about the details of this usage.
Deletion of Data
The data processed by us will be deleted or restricted in their processing per Art. 17 and 18 GDPR. Provided it is not explicitly stated otherwise, the data we store will be deleted as soon as it is no longer necessary to be stored for its intended purpose and there are no legal retention obligations that would prohibit a deletion. Should data continue to be stored because it is necessary to do so for other purposes permitted by law, their processing will be restricted. In other words, this data will be made inaccessible for other purposes of processing. This applies to data that must be stored for reasons relating to commercial or fiscal law.
Per German statutory provisions, data will be stored for 10 years in accordance with §§ 147 Para. 1 AO, 257 Para. 1 No. 1 and 4, Para. 4 HGB (books, records, management reports, journal vouchers, account books, records and documents relevant for taxation purposes, etc.) and 6 years in accordance with § 257 Para. 1 No. 2 and 3, Para. 4 HGB (commercial letters).
Business-related Data Processing
Additionally, we process
– Contract data (e.g. object and duration of contract, customer category)
– Payment data (e.g. bank details, payment history)
of our customers, interested parties, and business partners for the purpose of fulfilling our contractual obligations, services, customer care, marketing, advertising and market research.
We process data of our business partners and interested parties, as well as other contractees, customers, clients or contractual partners (for simplicity, hereinafter all of them will be referred to as “contractual partners”) per Art. 6 Para. 1 lit. b GDPR, to fulfill our contractual or pre-contractual obligations towards them. The data processed for this purpose, the type, scope and purpose, as well as the necessity of processing, are dependent upon the respective contractual relationship.
The processed data includes inventory data of our contractual partners (e.g. name and address), contact data (e.g. e-mail address and telephone number), as well as contract data (e.g. services used, content of contract, contractual communication, name of contact partner) and payment data (e.g. bank details, payment history).
In general, we do not process special categories of personal data, unless they are a relevant part of the commissioned and contractual processing.
We process data necessary for the establishment and fulfilment of contractual obligation and will indicate the necessity of their declaration, should it not be evident to our contractual partners. A disclosure to external parties or companies will only occur, if it is necessary for the fulfilment of a contract. In processing data, we only act according to the directives of our contractual partners and the legal requirements.
With regard to the use of our online services, we are allowed to store the IP-addresses and the time of use of the respective user’s act. The storage occurs on the basis of protecting our company’s legitimate interests, as well as the interests of users from misconduct and other unauthorized use. In general, a transfer of data to third parties does not take place, unless it is necessary for pursuing our legitimate interests per Art. 6 Para. 1 lit. f GDPR or there is a legal obligation to do so per Art. 6 Para. 1 lit. c GDPR.
The data will be deleted once it is no longer necessary for the fulfilment of contractual or legal duties of care, or the dealings with potential seller’s warranties or comparable obligations. The necessity of storage will be reviewed every three years. The legal duties to preserve records apply.
Administration, Financial Accounting, Office Administration, Contact Management
We process data for the purpose of administrative tasks of our company, administrative accounting and to abide by legal obligations, for instance, archiving. In doing so, we process the same data, that we process for the purpose of fulfilling our contractual obligations. The legal bases for these purposes are Art. 6 Para. 1 lit. c GDPR and Art. 6 Para. 1 lit. f GDPR. Affected persons include customers, interested parties, business partners and visitors of our website. The purpose of, as well as our interest in, processing data concern our company’s administration, administrative accounting, office administration, archiving of data, in other words, tasks that are meant to maintain our business activities and help us exercise our duties and provide our services. The deletion of data with regard to contractual obligations and contractual communication comply with the information given for the respective processing activities.
For these purposes we disclose and transfer data to the financial management, consultants, such as tax advisers and auditors, as well as other payment service providers and fee offices.
In order to maintain our economic interests, we store data concerning our distributors, event organizers, and other business partners, for instance, for communication purposes. These mostly business related data, are generally stored permanently.
Contact and Communication
When a user contacts us (for instance, via contact form, e-mail, telephone, or social media), their data will be processed for the purpose of handling their requests and any further transaction per Art. 6 Para. 1 lit. b GDPR. The data provided by the user can be stored in a customer relationship management system (“CRM system”) or a comparable organizational tool for requests.
We delete stored data collected from requests, provided they are no longer needed. We review their necessity every two years. The legal archiving obligations apply.
The following information is meant to explain the content of our newsletter, our login-, mail-order-, and statistical evaluation procedures, and your right of objection. When you subscribe to our newsletter, you agree to its receival and the described procedures.
Content of the newsletter: we send newsletters, e-mails, and other electronic messages containing advertising (hereinafter referred to as “newsletter”) only if the recipient has given their consent or it is legally permitted.
Provided the contents of the newsletter are described in detail during the registration process, they are applicable for the given consent of the user. In general, our newsletter contains information about us and our services.
Double-opt-In and recording: the registration for our newsletter is performed with a so-called double-opt-in procedure. In other words, you will receive an e-mail after your registration, in which you are asked to confirm your registration. This confirmation is necessary and ensures that no third party can register for our services with someone else’s e-mail address. The registrations for our newsletter are recorded with the purpose of complying with the legal requirements of verification and documentation. This includes the storage of registration and confirmation time, as well as the IP-address. Changes to your data stored by your distribution providers will be recorded as well.
Registration data: to register for the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to supply your name, to be able to address you personally within our newsletter.
The distribution of our newsletter and the consequent measurement of success are dependent upon the permission of the user per Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Para. 2 No. 3 UC or provided the recipient’s permission is not required, on the basis of our legitimate interest to employ direct marketing techniques per Art. 6 Para. 1 lit. f GDPR in conjunction with § 7 Para. 3 UC.
The recording of the registration procedure is based on our legitimate interests per Art. 6 Para. 1 lit. f GDPR. Our interests include the utilization of a user friendly and secure newsletter system that both serves our business interests and meets the expectations of the user, as well as allows us to document the given consent of users.
Cancellation/Revocation – you can cancel our newsletter at any time and thus revoke your consent. A link to the cancellation of the newsletter can be found at the bottom of each newsletter. After a user has signed out of our newsletter, we can store their e-mail address for up to three years before we delete them in order to secure our legitimate interests and be able to prove that prior to its revocation, consent had been given. The processing of this data will be restricted to the potential defense against claims. It is possible at any time to file an individual application for deletion, provided it is simultaneously confirmed that consent had been given at one point prior.
Newsletter – Mailchimp
The distribution service provider can use the data of the recipient in a pseudonymized form, in other words without assigning them to or identifying them as belonging to a user, for the purpose of optimizing or improving their own services, for instance to optimize the technical aspects of the distribution and the presentation of the newsletter or for statistical purposes. The distribution service provider does not use the data of our newsletter recipient to contact them themselves or to pass the data on the third parties.
Hosting and E-mail Dispatch
The hosting service we utilize has the purpose to make the following services available: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services, as well as technical maintenance; all of which help us operate our online service.
For these purposes we, or rather our hosting service, processes inventory data, contact data, content data, contract data, user data, meta- and communication data of clients, interested parties and website visitors on the basis of our legitimate interest to make available to our users a secure and efficient online content per Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (Entering into an order processing contract).
Collection of Access Data and Log files
We, or rather, our hosting service, collects data on every access of the server, on which this service is hosted (so called server log files) on the basis of our legitimate interests as defined in Art. 6 Para. 1 lit. f GDPR. This data includes the name of the accessed website, date and time of access, transmitted data volume, a notice on whether accessing the website was successful, type of browser used, including browser version, the operating system of the user, the referrer URL (the website visited before) IP-address and the provider requesting access.
Log file information will be saved no longer than 7 days for security reasons (for example, to gain information on misconduct and fraud) and will be deleted afterwards. Data, necessary for further processing as evidence, are excluded from deletion until the respective incidence is resolved.
Google is certified under the privacy shield policy and thus provides the guarantee that the European standards of data privacy protection are met (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
On our behalf, Google will use this information to evaluate the use by the user of our online content, to assemble reports on the activities on our website and to provide us with other services related to the usage of our online content and the internet usage in general. In doing so, pseudonymized user profiles of our users can be created out of the processed data.
We use Google Analytics only with active IP anonymization. In other words, the IP addresses of users are being shortened within member states of the European Union or other contracting states that have signed the Treaty of the European Economic Area. Only in exceptional cases the entire IP-address will be transferred to a server operated by Google in the USA and then shortened.
The IP-address transmitted by the browser of the user will not be conflated with other data by Google. The users can prohibit the storage of cookies by customizing their browser settings accordingly; furthermore, users can prohibit the logging of the data related to their usage of our online content created by the cookie by downloading and installing the browser-plugin available here: http://tools.google.com/dlpage/gaoptout?hl=de.
The personal data of users will be deleted or anonymized after 14 months.
Social Media Online Presence
We have an online presence in social networks and platforms to communicate with clients, interested parties and users that are active and inform them about our services. When using social networks and platforms, their respective terms and conditions and privacy policies apply.
Embedding of Third Party Services and Contents
On the basis of our legitimate interests ( e.g. interest in analyzing, optimizing, and economically operating our website per Art. 6 Para. 1 lit. f GDPR), we use content and other service offers by third parties, to embed their content and services in our website, for instance, videos and fonts (hereinafter referred to as “contents”).
This always requires that the third party providers of these contents have access to the users’ IP-addresses, since they are otherwise not able to transmit their content to the users’ browser. The IP-address is therefore necessary for the presentation of the content. We strive to only use content by providers who limit themselves to using IP-addresses for transmitting their content. Third party providers can also use so-called pixel-tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. By employing pixel-tags, information such as visitor traffic on a website can be evaluated. The pseudonymous information can be stored on a user’s computer in the form of cookies and contain other technical information regarding the browser and operating system, relegating websites, duration of visit, as well as further information on the usage of the online content and can be combined with information gained from other sources.