- Who is accountable for processing my personal data?
- What data is collected?
- What cookies are used?
- What data is collected and for what purpose?
- Who comes into possession of my personal data?
- Is my personal data processed outside of the EU or EEA (‘transfer to a third country’)?
- What data privacy rights do I have?
- To what extent does automated decision-making take place?
- Is profiling done?
1. Who is accountable for processing my personal data?Bertelsmann SE & Co. KGaA
33311 Gütersloh, Germany
Phone: +49 (0) 5241-80-0
Fax: +49 (0) 5241-80-62321
is responsible for processing your personal data on this website (hereinafter referred to as “we”). We process personally identifiable information (“personal data”) in accordance with GDPR provisions and the German Federal Data Protection Act (BDSG).
You can contact our designated Data Protection Officer at the address indicated above by using the reference ‘For the attention of the Data Protection Officer’ or by writing to: firstname.lastname@example.org.
2. What data is collected?
When you visit our website, the data of the computer you use to access our website is automatically logged (“access data”). This access data includes server log files that generally consist of information pertaining to your web browser type and version, your operating system, your internet service provider (ISP), the date and time you used the website, the websites previously visited by you and the websites you accessed from our website, in addition to the IP address of your computer. With the exception of your IP address, the information contained in the server log files is not personally identifiable. An IP address is personally identifiable when it is static (permanently allocated when using internet access) and the ISP is able to attribute it to a specific person.
Some features of our website require that you divulge personal information to us. In this case, the information provided by you is used to provide the service requested by you or process a matter submitted by you (e.g. search queries, entries made in forms or contracts, click data).
3. What cookies are used?
As a general principle, cookies enable online recognition without reference to a specific person. Cookies may become personally identifiable when the information they contain is merged with other information apart from the information generated by the cookies themselves. Here a distinction is made between cookies that are necessary for the provision of website features, and cookies that are required for other purposes, e.g. analysis of user behaviour or displaying advertising-related content.
The cookies that are required for the provision of website features include the following in particular:
- Cookies that are used to identify or authenticate the user;
- Cookies used to temporarily store user input (e.g. the content of a shopping cart or online form);
- Cookies used to store user preferences (e.g. search or language settings);
- Cookies that store data to enable the trouble-free rendering of video or audio content.
Cookies that are needed for other purposes of the website include analytics cookies to record the usage behaviour of our users and evaluate it in the form of statistics (e.g. advertising banners clicked, sub-pages visited, search queries conducted).
4. What data is collected and for what purpose?
The purpose of data processing may be based on technical, contractual or statutory requirements or result from consent having been given by the user.
We use the data described in section 2 for the following purposes:
- To provide website features and content and ensure technical security in troubleshooting technical issues and also to ensure that unauthorized persons do not gain access to our website systems;
- To conduct marketing reach measurements and web analyses in order to make our website more efficient and interesting for you, and for market research purposes;
- For communication, completion of precontractual procedures, and customer care purposes; and
- To send out press releases via email.
4.1 Provision of the website
4.1.1 Description and scope of data processing
In order to enable the proper functioning of our website, security analyses to be conducted, and denial-of-service attacks to be prevented and stopped, server log files are automatically collected and saved on a short-term basis as an integral part of access data that is created by the system of the visiting computer upon accessing our website and while using it (see section 2). The content of the server log files is not merged with other data. We use the server log files for statistical analyses to troubleshoot and remedy technical issues, prevent and defend against denial-of-service attacks and attempted fraud, and to optimize the proper functioning of our website.
4.1.2 Purpose and legal basis of data processing
The legal basis for the creation of server log files follows from Art. 6(1)(f) GDPR. Our legitimate interests lie in the proper functioning of our website, conducting security analyses and defending against threats.
4.1.3 Duration of storage or criteria applied in defining this period
When the pages of our website are accessed, information is logged to server log files that are stored on our web server; the IP address contained in them is deleted after 7 days at the latest. No analysis is conducted during this time unless there is a denial of service or other attack.
4.1.4 Options for lodging an objection and having your data removed
You have the right to lodge an objection to the processing of your data contained in the server log files provided that there are cogent reasons that arise from your specific situation. If you would like to exercise your right to lodge an objection, please write to the contact address in section 1.
4.2 Contact form, email and telephone contact information
4.2.1 Description and scope of data processing
On our website you have the option of contacting us by way of a contact form, by email or by telephone using the designated email address and phone number. If you take advantage of this option, the information you enter in the contact form, your email address and/or your phone number are disclosed to us. Depending on the reason you are contacting us (questions about our products and services, pursuing your rights as a data subject, e.g. submitting a request for information) your contact details are processed (with the assistance of service providers). If necessary for processing your request, this information may be shared with third parties (e.g. partner companies).
4.2.2 Purpose and legal basis of data processing
The legal basis for processing your contact details follows from Art. 6(1)(f) GDPR. We have legitimate interests in processing your request and in continued communication. If the purpose for your establishing contact with us is to enter into a contract with our company, the legal basis for processing your contact details follows from Art. 6(1)(b) GDPR.
4.2.3 Duration of storage or criteria applied in defining this period
Your contact details are deleted once your request has been processed and further communication has been discontinued. This does apply if the purpose of your establishing contact with us is to conclude a contract or you wish to exercise your right as a data subject (e.g. request information). In this case your details are stored until all contractual and/or statutory obligations have been fulfilled and statutory retention periods (currently 6 to 10 years) do not prevent this information from being deleted.
4.2.4 Options for lodging an objection and having your data removed
You have the right to lodge an objection to the processing of your contact information provided that there are cogent reasons that arise from your specific situation. If you would like to exercise your right to lodge an objection, please write to the contact address in section 1. If you lodge an objection, communication with you cannot be continued. This does not apply if the storage of your contact details is necessary for completing precontractual procedures, fulfilling a contract or exercising your rights as a data subject.
4.3 Asserting your rights as a data subject
4.3.1 Description and scope of data processing
On the website you have the possibility of asserting your rights as a data subject, e.g. request information on your personal information that is currently stored by us. In order to assert your rights as a data subject, it may be necessary that you provide information to Bertelsmann and/or its subsidiaries pertaining to your person and the specific information that has been processed. Without providing this information, Bertelsmann and/or its subsidiaries are not able to cater to your rights as a data subject.
4.3.2 Purpose and legal basis of data processing
The legal basis for processing your personal information in asserting your rights as a data subject follows from Art. 6 (1) point c GDPR, “Complying with a legal obligation”.
4.3.3 Duration of storage or criteria applied in defining this period
Bertelsmann and/or its subsidiaries store(s) the correspondence exchanged with you in relation to your asserting your rights as a data subject for a period of three years. This does not apply to information obtained to clarify your identity, e.g. by way of a labeled photocopy of your personal identity card, where Bertelsmann and/or its subsidiaries have been provided one. It will be deleted within one week at the latest of establishing your identity.
4.3.4 Options for lodging an objection and having your information removed
The processing of your information is required for complying with your rights as a data subject, and to that extent you have no right to revoke your consent to its processing.
4.4 Web tracking
Our website uses features to measure and evaluate user behavior and interaction. These features will utilize your access data (see section 2 above) and analyze your interactions with our website by means of tracking cookies (see section 3 above). This kind of analysis does usually not require personal data. Your IP address will therefore be shortened for the last octet what leads to anonymous user profiles which will not be combined with other data we store. Identifiable user profiles will only be created if you have consented to it.
Web tracking is usually conducted by involvement of external providers (Processors). With such processors we have concluded data processing agreements; contracts, which strictly bind them to our instructions and oblige them to process the collected data on our behalf and in a substantially limited way only. Where such a Processor is established outside of the EU, there might occur a so-called third country transfer. This is lawful, if the Processor offers an adequate level of data protection, which can be achieved by different means (additional safeguards). We ensure that every Processor provides at the time of his involvement such a level. Which additional safeguard is applicable respectively, is indicated below.
4.4.1 Google Analytics
This website uses Google Analytics, a service provided by Google Inc. Google Analytics causes a usage profile to be created in order to optimize the user-friendliness of our website. A pseudonym is assigned to this profile. In so doing, your access data is collected as described in section 2 and your usage behaviour analyzed using analytics cookies as described in section 3. Personal identification is not necessary for web tracking: when collecting your access data your IP address is shortened before being transmitted to Google Inc., meaning no information can be attributed to you. These usage profiles to which pseudonyms are assigned are analyzed for the purpose of optimizing user-friendliness. This data is not merged with other data by Google Inc. We ensure that Google Inc. only uses this data as instructed by us under a contract data processing agreement we have concluded with Google Inc.
4.4.2 Purpose and legal basis of data processing
The legal basis for collecting and analyzing pseudonym usage profiles follows from Art. 6(1)(f) GDPR / Section 15(3) German Telemedia Act (TMG). We have a legitimate interest in optimizing the user-friendliness of our website and performing marketing reach measurements.
4.4.3 Duration of storage or criteria applied in defining this period
As a general rule, the data that is collected and analyzed in association with Google Analytics remains stored until you raise an objection to it being used in this manner. Analytics cookies are stored for a maximum of 24 months.
4.4.4 Options for lodging an objection and having your data removed
You can raise an objection to the use of Google Analytics by changing your browser settings and/or clicking on the following link to download and install the browser plug-ins:
Google Analytics: https://tools.google.com/dlpage/gaoptout
4.5 Links to other websites
This website contains links to the website of other website operators. Clicking on the links takes you to the respective websites (e.g. Facebook, YouTube). With the exception of your access data to make the other website available, no data of yours is transmitted to these website operators.
5. Who comes into possession of my personal data?
Within our company those who need access to your information for the purposes described in section 4 will be given access to it. Service providers contracted by us may also be given access to your information (“contract data processors”, e.g. data centers, mailing services for newsletters, web tracking). They are bound by our directives and must provide for data security and the confidential treatment of your information under the contract data processing agreements we have concluded with them.
No sharing of information with other recipients such as advertising partners, providers of social media services or credit institutions (“third parties”) takes place.
6. Is my personal data processed outside of the EU or EEA (‘transfer to a third country’)?
The use of Google Analytics as described in section 4.4 above causes personal data to be transferred to a third country since the data centers of Google Inc. are located outside of the European Union and the European Economic Area (“EU or EEA”). Such transfers of personal data to third countries may result in your personal information being transmitted to a country which does not provide for the same standard of data protection as the EU or EEA. However, by being certified under the EU-US Privacy Shield, Google Inc. ensures that a level of data protection comparable to that in the EU/EEA is ensured. You can request a copy of these safeguards by contacting the addresses indicated in section 1 above.
7. What data privacy rights do I have?
You have the right to request access to your personal data that is currently stored by us. If this data is incorrect or not up to date, you have the right to request rectification. You also have the right to have your personal data erased and/or its processing restricted as provided for in Art. 17 and Art. 18 GDPR. You also have the right to request a copy of the personal data provided by you in a structured, commonly-used, machine-readable format (right to data portability).
If you have given your consent to the processing of your personal information for specific purposes, you can revoke that consent at any time for the future. Your notice of revocation is to be addressed to us by writing to the contact address indicated in section 1.
Pursuant to Art. 21 GDPR, you also have the right for reasons relating to your specific situation to raise an objection to the processing of your data that is done on the basis of Art. 6(1)(f) GDPR. You also have the right to lodge an objection to the processing of your personal information for direct marketing purposes. The same applies to automated processes involving the use of individual cookies, unless they are required for providing the functionality of our website.
You also have the right to lodge a complaint with the competent data protection authority. The authority responsible for us is:Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
40213 Düsseldorf, Germany
You also have the right to contact the data protection authority at your place of residence and request support in pursuing your matter.
8. To what extent does automated decision-making take place?
We do not use any fully automated decision-making processes for any of the purposes set out in section 4.
9. Is profiling done?
No profiling takes place for any of the purposes set out in section 4.