LIBERTIES – Privacy Policy – Updated October 6, 2022
(Obligation to inform according to GDPR)
Table of Contents
I. Name and address of the controller
II. General information on data processing
III. Website, RSS feed, log files
IV. Cookies
V. Newsletter
VI. Campaign
VII. Donation
VIII. E-mail, postal mail
IX. Applications
X. Embedded service providers
XI. E-learning platform (Knowledge Hub)
XII. Social media links
XIII. Web analytics
XIV. Heatmap analytics
XV. Rights of the data subject
I. Name and address of the controller
The controller, according to the General Data Protection Regulation and other national data protection laws of the member states as well as other provisions of data protection law, is:
Civil Liberties Union for Europe e.V. (hereinafter referred to as Liberties)
Ebertstrasse 2, 10117 Berlin, Germany
Represented by Balázs Dénes
Phone: +49 (0) 30 89 63 69 25
E-mail: info (at) liberties.eu
Internet address: www.liberties.eu
II. General information on data processing
1. Scope of the processing of personal data
We normally only process the personal data of our users to the extent necessary to ensure the operation of our website, our content and our services. The processing of personal data of our users takes place regularly after consent of the user or due to our legitimate interests. An exception applies in those cases in which it is not possible to obtain prior consent for practical reasons and where the processing of the data is permitted by applicable law.
2. Legal basis for the processing of personal data
Where we obtain the consent of the data subject for the processing of personal data, the legal basis shall be Article 6(1)(a) of the EU General Data Protection Regulation (GDPR).
Article 6(1)(b) GDPR serves as the legal basis for the processing of personal data required for the fulfilment of a contract to which the data subject is a party. This also applies to any processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our organisation is subject, Article 6(1)(c) GDPR shall serve as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our organisation or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the first interest, Article 6(1)(f) GDPR shall serve as the legal basis for this processing.
III. Website, RSS feed, log files
1. Description and scope of data processing
Each time a user accesses our website, our system automatically collects data and information from the system of the accessing computer.
The following data is collected:
- IP address (partially anonymised)
- Date and time of the request
- Time zone difference to GMT
- Content of the website
- Access status (HTTP status)
- Transferred data volume
- Website from which you came to our website
- Web browser
- Operating system
- Browser language and version
This happens both when you access our website directly and when you view our website content via an RSS feed. The data is also stored in the log files of our system. This data is not stored in conjunction with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR. The provision of personal data is partly in our legitimate interest and partly legally required (see point 5, paragraph Provider). It is not possible not to provide the data. Your only form of objection is by not visiting our website.
3. Purpose of data processing
In order to enable delivery of the website to the user's computer, the system needs to temporarily store the IP address. For this purpose, the IP address of the user must remain stored for the duration of the session. The same applies to the provision of website content via RSS feed.
Data is stored in log files in order to ensure the functionality of the website. The data is also used for optimising the website and to ensure the security of our IT systems.
We also use the log files on a daily basis to determine the total number of clearly identified visitors to our website. It is not possible to deduce information about individual visitors from this. We determine the total number of website visitors in order to compare it to the number of visitors who have agreed to our tracking of their visit.
No further evaluation of the data for marketing purposes is carried out in this context. These purposes also include our legitimate interest in data processing according to Article 6(1)(f) GDPR.
4. Categories of recipients of personal data and data processing outside of the European Union
As a rule, we do not pass on personal data to third parties unless we are obliged to do so by law or have obtained permission to do so. Excluded from this is the involvement of service providers, e.g. for hosting the website, whom we have carefully selected with regard to data protection and for whom we have taken the necessary measures required under European Union data protection laws for legitimate data processing (e.g.: Standard Contractual Clauses, Binding Corporate Rules, etc.).
We use services from hosting, application service and domain providers with whom we have a data processing agreements in place. The service providers we use are: Heroku, AWS, Contabo.
Heroku
We use Heroku platform as a service (PaaS) that enables developers to build, run, and operate applications entirely in the cloud (website: https://www.heroku.com). Heroku, Inc. (650 7th St, San Francisco, CA 94103) is a subsidiary of Salesforce.com, Inc. or one of its affiliates (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States). Heroku’s data protection measures are available at: https://www.salesforce.com/company/privacy/
AWS
We use storage, platform as a service (PaaS), and domain registration services provided by Amazon Web Services (AWS, Website: https://aws.amazon.com/). We also use Amazon Cloudfront in order to increase the reliability of our online services, provide greater protection against data loss and improve the loading speed of this website. Amazon Web Services Inc. (410 Terry Avenue North, Seattle, WA 98109-5210) is a subsidiary of Amazon.com, Inc. (410 Terry Avenue North Seattle, WA). Amazon’s GDPR compliance measures are available at: https://aws.amazon.com/compliance/gdpr-center/ You can download the privacy policy of AWS here: https://aws.amazon.com/de/privacy/.
Contabo
We use Contabo as our virtual cloud service provider (see under XII. Web Analytics tool). Contabo GmbH is a German limited liability company (Aschauer Straße 32a, 81549 Munich, website: www.contabo.de).
Contabo’s data protection measures are available at: https://contabo.com/en/legal/privacy/
Due to the integration of active content from service providers such as Facebook and YouTube, your data (specifically your IP address) will also be transferred to third countries when this content is accessed. More details on this can be found below in the notes on the individual providers, X – Embedded service providers.
5. Duration of data storage
The data will be erased as soon as it is no longer needed for achieving the purpose for which it was collected. If the data has been collected in order to provide the website, this will be the case once the session has ended. The same applies to access via the RSS feed.
According to § 113 b TKG (Telecommunications Act), only the (telecommunications) provider is obliged to store the Internet protocol address assigned to the subscriber (a unique identifier used for the Internet connection) as well as an assigned user identifier and date and time of the beginning and end of Internet use under the assigned Internet protocol address, stating the underlying time zone, for a period of ten weeks.
Longer storage times may be possible in connection with the prosecution of administrative criminal offences.
6. Objection and removal possibility
The collection of data for the provision of the website as well as the storage of data in log files are essential for the operation of the website. Consequently, there is no possibility for the user to object, except for the aforementioned non-usage of our website.
IV. Cookies
1. Description and scope of data processing / Purpose of data processing / Legal basis of such processing
Our website uses cookies. Cookies are small data packages that can be stored on the hard drive of your computer when visiting websites. These cookies usually contain a characteristic string of characters that uniquely identifies the browser software when you return to the site or continue to the next page of the site.
We use cookies to make our website more user-friendly. Some elements of our website require that the accessing web browser can be identified even after a new page has been opened.
The following data is stored in the cookies we use:
- Storage of the value of whether basic cookies and session cookies are accepted for more convenient navigation ("Necessary") (Legal basis: legitimate interest according to Article 6(1)(f) GDPR.)
- Statistics cookies ("Performance"): Statistics cookies allow Liberties to track visitor interaction with the site in order to measure and improve site performance. (Legal basis: legitimate interest according to Article 6(1)(f).)
- Donation status and language preferences ("Preferences"): When you decide to donate, the website accompanies you through the donation process. This is required for the donation process to work. Other cookies are used to match the language preference of the user. (The legal basis for donation cookies is the conclusion of a contract according to Article 6(1)(b) GDPR. For language preference cookies it is consent according to Article 6 (1)(a) GDPR.) The use of these cookies entails the transfer of personal data to third countries (e.g., USA), where the level of data protection is not equivalent to that of the EU, and where there is a risk that authorities may, on request, access your personal data. By allowing preference cookies, you consent to the use of preference cookies as well as to data processing and transfer to third countries of such data.
- Storage of the value of whether third-party cookies are accepted ("Functional Preferences"): Only after third-party cookies have been accepted, content from third-party providers such as YouTube videos will be actively integrated into the site (Legal basis: consent pursuant to Article 6(1)(a) GDPR).) See also further below for information on the respective providers, X – Embedded Service Providers. The use of these cookies entails the transfer of personal data to third countries (e.g., USA), where the level of data protection is not equivalent to that of the EU, and where there is a risk that authorities may, on request, access your personal data. By allowing preference cookies, you consent to the use of preference cookies as well as to data processing and transfer to third countries of such data.
Upon accessing our website, users are informed by an information banner about the use of cookies and, if necessary, their consent is requested. We also refer you to this data protection declaration. In this context, we are also informing users on how to disable the storage of cookies in their browser settings.
In any current browser, it is possible to delete individual or all cookies or alternatively to allow or prohibit the placement of cookies on a case-by-case basis. Please refer to the help pages of your respective browser for information on the corresponding options.
2. Categories of recipients of personal data and data processing outside of the European Union
As a matter of principle, we do not pass on personal data to third parties unless we are obliged to do so by law or unless we have obtained permission to do so. Excluded from this is the integration of the service providers that make the hosting of the website and the hosting of the Web Analytics Tool possible (see under III – Provision of the website and XIII - Web-Analytics ). We do not carry out any further processing within the framework of the provision of our website outside of the European Union (with the exception of the integrated service providers, see under X – Embedded Service Providers).
3. Duration of storage, possibility of objection and removal
Cookies are stored on the user's computer and transmitted to our site by the user, therefore, you (the user) have complete control over their usage. You can deactivate or restrict the transmission of cookies by changing the settings of your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically, for example, every time you close your browser. However, if cookies are deactivated for our website, your preferences for our website will also be deleted (e.g. information as to whether you have consented to the use of third-party cookies).
V. Newsletter
1. Description and scope of data processing
We are sending out newsletters to our newsletter subscribers on a regular basis. As part of the organisation of the newsletter distribution, the following data of our newsletter subscribers is processed: When setting up the newsletter subscription, we ask for the first name and surname (for personal contact) as well as the e-mail address of the person subscribing. The subscriber’s country of origin is also requested so that we can send out the newsletter in the appropriate national language (not all newsletter contents are always sent out in the national language).
2. Legal basis for data processing
Legal basis for the processing of your personal data in connection with the newsletter dispatch is Article 6(1)(a) GDPR in conjunction with your specific consent to receive the newsletter. You can revoke this consent to receive the newsletter at any time with effect for the future. For this purpose, it is sufficient to use the unsubscribe option at the end of each newsletter. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
3. Purpose of data processing
We use our newsletter service provider to deliver our newsletter to the subscribers of our newsletter.
4. Categories of recipients of personal data and data processing outside of the European Union
The service provider we use for sending our newsletter is Mailjet GmbH (a subsidiary of Mailgun Technologies Inc., 112 E Pecan St #1135, San Antonio, TX 78205). Since the company operating MailJet and its IT infrastructure are located in the United States, data may be transferred to third parties in a non-secure third country, such as the United States. Therefore, additional security is required when data is transferred to Mailjet. In the case of Mailjet, this is currently achieved through (1) the Data Protection Addendum (including Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021 and, (2) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls and data minimization principles. Here ( https://www.mailgun.com/security-privacy/) you will find all legal information (such as general and special terms and conditions provided by Mailjet), here ( https://www.mailjet.com/dpa/) you can find concrete information on their data protection information.
5. Storage duration
Your data will remain stored in our newsletter database for as long as you wish to receive our newsletter. If you revoke your consent the newsletter dispatch will be stopped and afterwards, your data will be deleted from our newsletter mailing list.
6. Objection and removal possibility
You can revoke your consent to receive the newsletter at any time with effect for the future. To do this, you only need to use the unsubscribe option at the end of the respective newsletter. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
VI. Campaign
1. Description and scope of data processing
We carry out campaigns on a regular basis. On our websites, we offer the opportunity to participate in our campaigns to those who are interested. As part of the organisation of campaign participation, the following data on the participants in our campaigns is processed:
When you join a campaign, we ask for your name (for personal contact), e-mail address and country. In exceptional cases, when it is relevant, we may ask for further personal data. In some cases, we offer the possibility to subscribe to a Campaign Info Mail. The country of origin of the subscriber is requested so that the Campaign Info Mail can be sent in the appropriate national language if necessary (not all Campaign Info Mail content is always sent in the national language).
In some cases, we may direct you to a partner’s website where their privacy policy applies.
2. Legal basis for data processing
The legal basis for the processing of your personal data in the context of the campaign tool is Article 6(1)(a) GDPR in conjunction with your specific consent to participate in the respective campaign. You may revoke your consent to participate in the campaign at any time with effect for the future. For this purpose, all you need to do is to make use of the unsubscribe option at the end of the respective campaign info mail. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
3. Purpose of data processing
Using the campaign tool (petition tool, e-mail campaign tool, campaign infomail), we enable interested parties to participate in our campaigns and, upon request, we use infomails to keep campaign participants informed about current developments regarding the respective campaign.
4. Categories of recipients of personal data and data processing outside of the European Union
The service provider we use for sending our campaign infomail is Mailjet GmbH (a subsidiary of Mailgun Technologies Inc., 112 E Pecan St #1135, San Antonio, TX 78205). Since the company operating Mailjet is located in the United States, data may be transferred to third parties in a non-secure third country, such as the USA. Therefore, additional security is required when data is transferred to Mailjet. In the case of Mailjet, this is currently achieved through (1) the Data Protection Addendum (including Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021 and, (2) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls and data minimization principles.
Here (https://www.mailgun.com/security-privacy/) you will find all legal information (such as general and special terms and conditions provided by Mailjet), here (https://www.mailjet.com/dpa/) you can find concrete information on their data protection information.
5. Storage duration
Your data will remain stored in our infomail database for as long as you wish to participate in the respective campaign. If you revoke your consent, the campaign infomail will no longer be sent to you and your data will be deleted from our database. If you are only participating but have not subscribed to the campaign info mail, your data will be deleted within 30 days after the end of the campaign.
6. Objection and removal possibility
You can revoke this consent to your participation in the campaign at any time with effect for the future. To do this, all you have to do is use the unsubscribe option at the end of the respective campaign info mail. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
VII. Donation
1. Description and scope of data processing
On our website, you have the possibility to support us once or regularly with donations. To do this, all you have to do is click on the donation button displayed on any page.
By clicking on this button, you will be taken to the donation page, where you will be asked to accept cookies (if you have not done so previously). Two cookies will then be set, one from Stripe, our payment service provider, and one from PayPal, our second payment service provider.
Depending on which payment service provider you choose, you will either be taken directly to a PayPal page (after clicking on Donate with PayPal), where you can enter your payment and legitimize it by logging in to PayPal, or if you have clicked on "NEXT" and want to pay using Stripe, you will be asked for further information (amount of donation, cycle, name, email address, card number). We only send the payment data to Stripe without further processing the data ourselves.
Liberties does not see your bank or credit card details for either payment method; these are only processed by the payment service provider. Here (https://stripe.com/de/privacy) you can find Stripe's data protection declaration and other conditions (https://stripe.com/de/privacy, depending on your browser's language settings a translation might be available). You can find PayPal's privacy policy at https://www.paypal.com/uk/webapps/mpp/ua/bcr and the various other terms and conditions at https://www.paypal.com/GR/webapps/mpp/ua/legalhub-full).
2. Legal basis for data processing
The legal basis for the processing of your personal data in connection with your donation is Article 6(1)(b) GDPR.
3. Purpose of data processing
The donations help us to co-finance our work. To do this, we have to process the data of the donors mentioned above.
4. Categories of recipients of personal data and data processing outside of the European Union
Both payment service providers are located in the United States, which means that data is transferred to third parties in a non-secure third country. Therefore, additional security is required if data is to be transferred to these payment service providers. In the case of Stripe (Stripe, Inc., 510 Townsend Street, San Francisco, California 94103), this is achieved through Standard Contractual Clauses and necessary technical and organizational measures. For detailed information on Stripe’s Privacy measures see https://stripe.com/en-de/privacy-center/legal#data-transfers.
PayPal Inc. has issued binding corporate rules for data protection (see https://www.paypal.com/uk/webapps/mpp/ua/bcr and https://cnpd.public.lu/fr/actualites/national/2018/02/bcr-paypal.html).
This means that the prerequisites are met for PayPal to be able to process the personal data of our donors in accordance with data protection laws.
5. Storage duration
Your data will remain stored with our financial accounting for as long as we are obliged to keep our accounts under the relevant tax law for associations. Specifically, the German Fiscal Code in §§ 140 ff. obliges us to keep our accounts for 6 to 10 years.
6. Objection and removal possibility
You can revoke your consent to the donation (at least for recurring donations) at any time with future effect through Stripe or PayPal. A revocation affects the personal data, which must be processed, used or transmitted for (contractual) payment processing, only after the expiry of legally prescribed retention periods. For this purpose, please use the information provided by Stripe and PayPal within the context of your donation. If you need help in this, please contact us at gdpr@liberties.eu. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
VIII. E-mail, postal mail
1. Description and scope of data processing
You can use the provided e-mail address to contact us. In this case, the personal user data transmitted with the e-mail will be stored. The same applies similarly to postal mailings.
In this context, no data will be passed on to third parties. The data will only be used for communication with the user.
2. Legal basis for data processing
The legal basis for the processing of the data transmitted in the course of an e-mail transmission is Article 6(1)(f) GDPR. If the purpose of the e-mail contact is the conclusion of a contract, Article 6(1)(b) GDPR is an additional legal basis for the processing. The same applies similarly to postal mail.
The provision of personal data is not required by law or contract but may serve to conclude a contract for the reasons stated above.
3. Purpose of data processing
In the event of contact being established by e-mail, this also constitutes the required legitimate interest in the processing of the data. The same applies similarly to postal deliveries.
4. Categories of recipients of personal data and data processing outside of the European Union
As a matter of principle, we do not pass on personal data to third parties unless we are obliged to do so by law or unless we have obtained your consent to do so.
Excluded from this is the integration of the service provider who provides our e-mail hosting. Other than that, no data is processed outside of the European Union.
5. Storage duration
The data will be deleted as soon as it is no longer required for achieving the purpose for which it was collected. For the personal data sent by e-mail or post, this is the case when the respective conversation with the user has ended. The conversation has ended once it can be inferred from the circumstances that the matter in question has been conclusively clarified. Further retention periods may result from the German Tax Code or the Commercial Code (§ 195 BGB, 3-year regular limitation period).
6. Objection and removal possibility
At any time, the user has the possibility to revoke their consent to the processing of personal data with effect for the future. For this purpose, a new message via the contact form or a message by e-mail is sufficient.
If the user contacts us by e-mail, they can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.
In this case, all personal data stored in the course of establishing contact will be deleted unless legal retention periods conflict with this. The same applies similarly to postal deliveries.
IX. Applications
1. Purpose of data processing
- Address management and e-mail communication
- Conducting the application process
- Reimbursement of travel expenses for applicants' arrival
- Data that may be used in the application process to assert, exercise or defend potential legal claims (e.g. claims under the German General Act on Equal Treatment)
- In the case of recruitment for transfer to the personnel file
- Management of data protection rights of data subjects
2. Legal basis for data processing
Re 1: Address management and processing is part of the application process. The processing of your personal data is necessary to establish an employment relationship with you as the person concerned, therefore we process your data in accordance with Article 6(1)(b) GDPR in conjunction with § 26 paragraph 1 sentence 1 German Data Protection Act (BDSG).
Re 2: Since processing is necessary to establish an employment relationship with you as the data subject, we process your data in accordance with Article 6(1)(b) GDPR in conjunction with § 26 paragraph 1 sentence 1 BDSG.
Re 3: According to § 670 BGB, applicants are legally entitled to reimbursement of the necessary interview costs if no provision has been made as to which costs for travel to the interview will be covered by the employer. Since the processing is necessary to conduct the interview and thus to establish an employment relationship with you as the person concerned, we process your data in accordance with Article 6(1)(b)GDPR in conjunction with § 26 paragraph 1 sentence 1 BDSG.
Re 4: We may use your personal data, which we have received during the application process, to assert, exercise or defend potential legal claims (e.g. if Liberties would be exposed to claims under the General Equal Treatment Act). The legal basis for the processing is Article 6(1)(f) GDPR. Liberties has a legitimate interest in the use of personal data for the aforementioned reasons.
Re 5: The data will be transferred to the personal file of the potential employee after recruitment. The legal basis for the processing is Article 6(1)(b) GDPR in conjunction with Article 26 paragraph 1 sentence 1 BDSG.
Re 6: The processing is carried out to comply with or fulfil the legal obligation of the data subjects' rights under data protection law mentioned in Chapter III (Articles 12-22) GDPR, to which Liberties must comply as the responsible party within the meaning of Article 4(7)GDPR. The legal basis for this processing is Article 6 (1)(c)GDPR.
3. Description of the categories of personal data
Re 1: Contact data (surname, first name, e-mail address, telephone number, address data, contact type, fax number), communication contents.
Re 2: Cover letter, curriculum vitae, photographs, certificates and other proofs of qualification as well as other data which were sent on a voluntary basis as part of the application process.
Re 3: Travel data (e.g. arrival and departure, travel expenses, travel funds), bank details.
Re 4: Master data, communication data, data to prove a legally compliant application process.
Re 5: Master data, communication data, covering letter, curriculum vitae, photograph, certificates and other proofs of qualification as well as other data which were sent voluntarily within the scope of the application process.
Re 6: Declarations of revocation of any consent you may have given; declarations of objection which you may submit to the processing of your personal data; declarations and information which we receive from you for or in connection with the assertion of your data protection rights as specified in Chapter III (Articles 12-22) GDPR.
4. Categories of recipients to whom the personal data have been or will be disclosed
Within Liberties, to those employees who need to receive the data in order to carry out the application process (management, specialist department, human resources department), as well as the telephone service used in the performance of our activities and the IT service providers with whom we have concluded appropriate contracts in order to ensure the protection of your personal data at all times and, if necessary, to the authorities for possible criminal investigations.
5. Storage duration
If Liberties has not recruited you after the application process has been completed, your data will be deleted within 6 months of the rejection of your application. If your application is successful and you are employed by Liberties, your personal data will be deleted once the purpose of the data processing no longer applies, at the latest after termination of the employment relationship (storage limitation), unless legal retention periods or legal limitation provisions preclude deletion.
6. Necessity of providing the data
The provision of your personal data is neither required by law nor by contract. However, the provision of your personal data is necessary for the execution of the application process. If you do not wish to make your personal data available, we will not be able to consider you for an application process at Liberties.
X. Embedded service providers
We integrate functions of external service providers on our websites (e.g. the integration of videos) that have their own data protection regulations.
If you allow third-party cookies on our website, the content of those third-party providers will be downloaded. Your data will not be transferred to these service providers beforehand.
Please note that if you use the service offered by these embedded service providers, this entails a transfer of personal data to third countries (e.g. USA), where the level of data protection is not equivalent to that of the European Union, and where there is a risk that authorities may, on request, access your personal data. If you choose to use the services of these providers, you consent to the data processing and to the transfer of your personal data to third countries.
Below is a list of the service providers involved:
1. Flourish.studio – Interactive diagrams and creation of infographics
On some of our subpages we use embedded interactive diagrams and infographics to present data and numbers in visually easy to understand formats without requiring you to leave the Liberties pages. When you open a subpage with an embedded Flourish.studio diagram, the iframe ( https://en.wikipedia.org/wiki/IFrame) embedded by us communicates with the servers of https://flourish.studio and you thereby accept their terms and conditions ( https://flourish.studio/terms/). The provider of the service used is the British company Kiln Enterprises Ltd, 08825531 G06, 16 Baldwin's Gardens, London EC1N 7RJ, United Kingdom. The service provider does not set cookies in your browser. Further information on data protection at "Flourish.studio" can be found in the provider's data protection declaration ( https://flourish.studio/privacy/).
2. InterAct – Creation of embeddable quizzes and questionnaires
On some of our subpages we use embedded quizzes and questionnaires to inform our users in an interactive format, without requiring them to leave the Liberties pages. When users open a subpage with an embedded InterAct quiz, the iframe (https://en.wikipedia.org/wiki/Iframe) that we have embedded communicates with the servers of www.tryinteract.com and you thereby accept their general terms and conditions (https://www.tryinteract.com/terms). The provider of the service used is The Quiz Collective, Inc. 2443 Fillmore St #380-14013, San Francisco, CA 94115, USA. The provider doesn’t set cookies in your browser. For more information about privacy at TryInterAct, see the provider's privacy statement ( https://www.tryinteract.com/privacy).
3. Buzzsprout – Embedded podcast players
If you open one of our subpages on which a podcast player is embedded and the content is displayed in an iframe (https://en.wikipedia.org/wiki/Iframe), the iframe establishes a connection to the provider and exchanges data with this provider. If you use this podcast player, no cookies are set in your browser.
For more information about privacy at Buzzsprout, see the provider's privacy statement (https://www.buzzsprout.com/privacy).
4. Issuu - Embedded PDF viewer
On some subpages we offer extensive content in the form of PDF files, which can be displayed directly on the website using a tool we use, without requiring you to leave the liberties.eu website.
If you open one of our subpages on which the tool is integrated and the content is displayed in an iframe (https://en.wikipedia.org/wiki/Iframe), the iframe establishes a connection to the provider and accepts its general terms and conditions. If you use the embedded PDF viewer, Isuu Inc sets cookies in your browser.
The tool is provided by Issuu Inc, 131 Lytton Ave, Palo Alto, CA 94301, United States. The general terms and conditions can be found here (https://issuu.com/legal/terms).
Further information on data protection at "Issuu" can be found in the provider's data protection declaration (https://issuu.com/legal/privacy).
5. Embedded YouTube videos
On some subpages we include YouTube videos.
If you open one of our subpages on which a YouTube video is embedded and the content is displayed in an iframe (https://en.wikipedia.org/wiki/Iframe), the iframe establishes a connection to the provider and exchanges data with this provider. If you use this video viewer, no cookies are set in your browser.
We integrate YouTube videos using "youtube-nocookies".
The provider of the YouTube player is YouTube, LLC 901 Cherry Ave, 94066 San Bruno, CA, USA, a company belonging to Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA.
Further information on data protection at "YouTube" can be found in the provider's data protection declaration (https://www.google.de/intl/de/policies/privacy/).
6. Embedded Facebook videos and posts
On some subpages we include Facebook videos or Facebook posts.
When you open one of our subpages that includes a Facebook video or a Facebook post preview box and the content is displayed in an iframe (https://en.wikipedia.org/wiki/Iframe), the iframe connects to the provider and exchanges data with it. If you use this video viewer, cookies are set in your browser.
The Facebook video player is offered by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.
For more information about privacy at Facebook, please see the provider's privacy policy (https://www.facebook.com/privacy/explanation).
XI. E-learning platform (Knowledge Hub)
1. Description and scope of data processing
On our website, we offer you access to our knowledge hub, an e-learning platform that helps NGOs and civil society organisations to develop their teams' professional skills in various areas. There you find free, easy-to-follow courses that will help make your advocacy work and campaigns more impactful.
We use edX self-hosted learning management system. You can read their privacy policy here: https://openedx.org/privacy-policy/.
If you use the e-learning platform, cookies are set in your browser.
When you register to the e-learning platform we ask you to provide:
- Full name
- Public username (if required instead of the email address)
- Organisation name (where they work, other NGOs)
- Organisation type
- Country
- Email address
- Password
On an optional basis, you can provide further personal data within your platform account.
2. Legal basis for data processing
Legal basis for the processing of your personal data in connection with the e-learning platform is Article 6(1)(a) GDPR.
3. Purpose of data processing
We use the e-learning platform to deliver free, easy-to-follow courses to registered users.
4. Categories of recipients of personal data and data processing outside of the European Union
We use AWS services and Matomo to deliver this service. The e-learning platform is part of our website. For further information, consult - III. Website, RSS feed, log files.
5. Storage duration
Your data will remain stored in our database for as long as you wish to be a registered user of the e-learning platform.
6. Objection and removal possibility
You can revoke your consent at any time with effect for the future. For this purpose, it is sufficient to use the delete my account option in the platform. Please note that the lawfulness of the processing of your data up to the time of revocation remains unaffected by the revocation.
XII. Social media links
On our website, we offer you the opportunity to share these respective websites via social media. However, we only use share links to integrate social media. This means that your data is not automatically transferred to social media providers when you visit our websites.
Only if you follow the appropriate link are you directed to the social media, where your data will be processed accordingly.
We provide the sharing function for the following social media:
We also provide the sharing function by e-mail and by copying the URL of the respective website.
On our website we also refer to our social media pages, specifically our Facebook page, our Twitter account and our YouTube account.
With these links, too, your data will only be processed by the social media once you click on these links, leave our website and open our respective page at the provider of the social medium.
XIII. Web analytics
1. Description and scope of data processing
When you visit our website, your surfing behaviour can be analysed statistically. This is done primarily with cookies and web analytics programs. We use the open source software tool Matomo on our website. The software is set so that the IP addresses are not stored in full. It is not possible to assign the abbreviated IP address to the accessing computer.
2. Legal basis for data processing
The legal basis for the processing of your personal data in connection with statistical analysis is Article 6(1)(f) GDPR.
3. Purpose of data processing
The statistics help us to optimise our work, e.g. to constantly improve our website and its user-friendliness.
4. Categories of recipients of personal data and data processing outside of the European Union
Matomo software runs exclusively on a server controlled by us. Specifically, we use the hosting services of Contabo GmbH (Aschauer Straße 32a, 81549 Munich, website: www.contabo.de).
We have concluded a data processing agreement with Contabo.
5. Storage duration
The data will be deleted after 5 years, i.e. as soon as they are no longer needed for our records.
6. Objection and removal possibility
Matomo uses cookies. Cookies that have already been placed can be deleted at any time. This can also be done automatically. We also offer our users the option of opting out of the analytics process on our website. This option is available here: Cookie Settings.
Information regarding the privacy settings of the Matomo software can be found here: https://matomo.org/docs/privacy/.
XIV. Heatmap analytics
1. Description and scope of data processing
When you visit our website, your surfing behaviour can be analysed statistically. This is done primarily with cookies and web analytics programs. We use Hotjar on our website in order to better understand your needs and to optimize our service and your experience (e.g. how much time you spend on which pages, which links you choose to click, what parts you do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
2. Legal basis for data processing
The legal basis for the processing of your personal data in connection with statistical analysis is Article 6(1)(f) GDPR.
3. Purpose of data processing
The statistics help us to optimise our work, e.g. to constantly improve our website and its user-friendliness.
4. Categories of recipients of personal data and data processing outside of the European Union
Hotjar application, and the usage data that Hotjar collects through its software is stored in Ireland, European Union (EU) on the Amazon Web Services infrastructure, eu-west-1 data centers. The application and database servers run inside an Amazon Virtual Private Cloud (VPC).
5. Storage duration
Recordings data in Hotjar is kept from date of capture for 365 days. Heatmap data is retained for 365 days from date of creation. Responses gathered from Feedback tools are stored indefinitely until the account owner decides to delete them.
6. Objection and removal possibility
Hotjar uses cookies. Cookies that have already been placed can be deleted at any time. This can also be done automatically. We also offer our users the option of opting out of the analytics process on our website. This option is available here: Cookie Settings.
Information regarding the privacy settings of the Hotjar software can be found here: https://www.hotjar.com/legal/policies/privacy/.
XV. Rights of the data subject
If your personal data is processed, you are a data subject as defined by the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information
You may at any time, with due regard to the requirements of Article 15 of the GDPR, request information from the controller as to whether and how we are processing your personal data.
2. Right to rectification
With due regard to the provisions of Article 16 of the GDPR, you have the right to have your personal data corrected and/or completed by the data controller if the processed personal data relating to you is inaccurate or incomplete. The data controller must rectify the data immediately.
3. Right to restriction of processing
With due regard to the provisions of Article 18 of the GDPR, you may require the controller to restrict the processing.
4. Right to erasure
With due regard to the provisions of Article 17 of the GDPR, you may request the controller to delete your personal data.
5. Notification obligation
If you have exercised your right to rectify, cancel or limit the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom your personal data have been disclosed of this rectification, cancellation or limitation, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients vis-à-vis the data controller pursuant to Article 19 of the GDPR.
6. Right to data portability
With due regard to the requirements of Article 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format.
7. Right to object
You have the right, subject to the conditions of Article 21 of the GDPR, to object at any time, for reasons arising from your particular situation, to the processing of your personal data under Article 6(1)(e) or (f) GDPR, even if the profiling is based on these provisions.
8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of revocation.
9. Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is in breach of the GDPR.
The supervisory authority where the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
The supervisory authority in charge of Liberties.eu is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
www.datenschutz-berlin.de
Date of data protection declaration: 06 October 2022 (English version)
In the event of a dispute regarding the "Privacy Policy www.liberties.eu", the English-language version shall prevail.
Help us fight for your rights!