Centre for Contemporary History (ZZF): Data Protection Policy for all Online Offerings operated by the ZZF
Name and contact details of the operator (postal address and e-mail address)
The controller responsible for the processing of personal data pursuant to Article 4 of the General Data Protection Regulation (GDPR) and Section 46 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) is:
Zentrum für Zeithistorische Forschung Potsdam e.V.
Am Neuen Markt 1, D-14467 Potsdam
Telephone: +49 331 28991-57
Fax: +49 331 28991-40
E-mail: sekretariat [at] zzf-potsdam.de
Adherence to the applicable data protection provisions is monitored by the institute’s Data Protection Officer, namely:
Dr Christoph Classen
Zentrum für Zeithistorische Forschung Potsdam e.V.
Am Neuen Markt 1, D-14467 Potsdam
Telephone: +49 331 28991-17
Fax: +49 331 28991-60
E-mail: datenschutz [at] zzf-potsdam.de
The ZZF processes personal data in compliance with the European GDPR, the BDSG and the national data protection provisions applicable to the Centre for Contemporary History Potsdam as the technical operator. The purpose of this data protection policy is to inform the general public of the nature, scope and purpose of the personal data collected and processed by the ZZF when its online offerings are used. This data protection policy also informs data subjects of their rights.
As the controller, the ZZF has implemented numerous technical and organisational measures to ensure the best possible protection of personal data processed through this website. However, the electronic transmission of data can, in principle, have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, every data subject is free to transfer personal data to us through alternative (analogue) means, for example by telephone.
The terms “personal data”, “data subject”, “processing”, “restriction of processing”, “profiling”, “pseudonymisation”, “controller”, “processor”, “recipient”, “third party” and “consent” used in this data protection policy are based on the definitions provided in Chapter 1 Art. 4 of the GDPR.
Purpose(s) and procedures for data processing
The ZZF endeavours to operate all its online offerings in such a way that they can be used without providing personal data. If the provision of personal data is required for the use of specific information services, then explicit consent is obtained.
However, for the purposes of the technical operation of its portals, its own reporting system and its accountability to public donors, the ZZF is required to store personal data to a certain extent and for certain purposes. Yet in accordance with its charter, the ZZF does not pursue any commercial goals and does not use personal data for commercial purposes or marketing. The individual data-processing procedures used are explained below.
Data subjects can prevent the ZZF website from storing cookies in their web browser at any time by checking the corresponding setting in their web browser and thus permanently opt out of the storage of cookies. In addition, cookies that are already stored in the web browser can be deleted at any time using a web browser or other software programs. This is possible in all common web browsers. By deactivating the storage of cookies in their web browser, the data subject might not be able to use all of the functions and features offered on this website.
Use of Google Analytics (with anonymisation function)
The ZZF uses Google Analytics (with anonymisation function) to analyse the usage of some of its online offerings. Google Analytics is a so-called web analytics service. Web analytics is the recording, collection and analysis of data about the behaviour of visitors to websites. A web analytics service collects, inter alia, data about the website from which a person has come (the so-called referrer), which sub-pages were visited, and how often and for what duration a subpage was viewed. Web analytics is predominantly used to optimise websites and to monitor the usage of offerings / individual articles and downloads. Selected access figures for the online offerings of the ZZF are regularly published in the ZZF’s annual reports and are used as key performance indicators in the internal reporting system.
For the web analytics performed by Google Analytics, the ZZF uses the extension “_gat._anonymizeIp”. This extension truncates the IP address of the data subject’s Internet connection before it is transferred to Google from member states of the European Union or other contracting parties to the Agreement on the European Economic Area. This guarantees the anonymisation of your IP address, so that all data are recorded anonymously. Only in exceptional cases will the whole IP address be first transferred to a Google server in the USA and truncated there.
The ZZF has arranged the processing of usage data via Google Analytics with the operating company Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA in a so-called data processing agreement. This agreement stipulates the adherence to European data protection laws. A deletion deadline of 14 months has been set for the data.
Visitors to the online offerings of the ZZF can prevent Google Analytics from performing web analytics by opting out of the storage of cookies by the website, as described above, using the respective setting in the web browser and thus permanently opting out of the storage of cookies. Such a setting of the web browser used would also prevent Google from storing a cookie on the information technology system of the data subject. Cookies already stored by Google Analytics can also be deleted at any time using the web browser or other software programs.
On webpages that use Google Analytics, the ZZF also offers a so-called opt-out cookie that allows the user to be excluded from analytics tracking through a single click. This must be used if the website is being accessed from mobile devices, as the above-mentioned browser add-on does not work on these devices.
Additional information and the applicable data protection provisions from Google can be accessed at https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. A more in-depth explanation of Google Analytics can be found under the following link: https://www.google.com/intl/de_de/analytics/.
Server protocols and log files
Each time a data subject or an automated system visits the ZZF website, the ZZF web servers record a range of general data and information. These general data and information are stored in the server log files. The following can be recorded: (1) browser types and versions used; (2) the operating system used by the accessing system; (3) the website from which an accessing system reaches the ZZF website (so-called referrer); (4) the web subpages which are visited via an accessing system on the ZZF website; (5) the date and the time of access to the website; (6) an Internet Protocol address (IP address); (7) the Internet service provider of the accessing system; and (8) other similar data and information which serve to avert dangers in the event of attacks on our information technology systems.
When using these general data and this information, the ZZF does not draw any conclusions about the data subject. Instead, this information is needed (1) to correctly deliver the contents of our website; (2) to ensure the permanent functionality of our information technology systems and the technology of our website; and (3) to make available to law enforcement authorities the information needed for prosecution in the event of a cyber-attack. The data and information are analysed by the ZZF with a view to increasing operational security in order to ensure an optimum level of protection for the personal data processed by us. The data in the server log files are stored separately from all personal data provided by a data subject, are stored only for the above-mentioned purposes, and deleted after seven days.
Registering on the institute’s website
Users can register for various online services on the ZZF website, during which personal data are transferred. It must be noted that these registrations (with the exclusion of newsletter delivery, see below) are exclusively reserved for institute members with the requisite access information. The processing of personal data of ZZF employees is regulated separately and not further detailed here.
The ZZF informs interested persons over the age of 16 about the work of the institute by means of a regular newsletter. Visitors can subscribe to this newsletter via the institute’s website. What types of personal data are transmitted to the controller when the newsletter is ordered is determined by the input mask used for this purpose.
The data subject can only receive the ZZF newsletter if (1) the data subject has a valid e-mail address and (2) the data subject registers to receive the newsletter. This is in accordance with the so-called double opt-in procedure. Data subjects can also permanently unsubscribe from the newsletter via a link in the respective newsletter.
The personal data collected in the course of registering for the newsletter are used exclusively for the mailing of the newsletter. Tracking via so-called tracking pixels does not take place. The personal data collected as part of the newsletter service are not passed on to third parties. The data subject can unsubscribe from the newsletter at any time, the simplest way being by replying by e-mail to the originating address of the newsletter. The consent to the storage of personal data (name, e-mail) provided to the ZZF by the data subject for the newsletter mailing can be withdrawn at any time. All data recorded for the newsletter mailing are deleted immediately upon unsubscribing.
Entry forms for contact with editorial departments and operators
Some of the webpages of the ZZF contain entry forms that facilitate the speedy electronic contact to editorial departments and controllers, something that requires entering an e-mail address and a name. If a data subject contacts the ZZF via e-mail or a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data voluntarily transmitted by a data subject are used solely for processing purposes or for contacting the data subject. These personal data are not passed on to third parties. The transmitted data will be deleted immediately upon request.
Handling of comments and posts
If you leave a post or comment on webpages of the ZZF, we do not store any information about the contributor beyond the data provided in the entry form. We especially do not store any IP addresses. All details are provided on a voluntary basis and editorially reviewed prior to publication. You can demand the deletion of a comment at any time via the contact address provided or the address of the editorial department for the specific website.
Social media “Recommend” buttons
Some of the webpages of the ZZF use “Like” buttons from social media platforms such as Facebook, Google+ and Twitter. These buttons are implemented on the ZZF webpages in such a way that no data are transmitted to the aforementioned platforms when the page is accessed. The script “Social Share Privacy” (https://www.heise.de/ct/artikel/2-Klicks-fuer-mehr-Datenschutz-1333879.html) is used for this purpose. The “Recommend” button must first be activated by a user. Only thereafter and with an additional click are data transmitted to the respective platform operator. The data protection provisions of the respective social media provider set out the purpose and scope of this data collection and the further processing and use of the data. The ZZF itself does not store any data resulting from the use of social media “Recommend” buttons.
Services and content from third parties are embedded in our website on the basis of, inter alia, point (f) of Art. 6(1) GDPR in order to make our offering more appealing and increase our reach. This always requires that the provider of such content obtains the IP address of the user. Without this IP address, these third parties cannot send the content to the browser of the respective Internet user. The transmission of the IP address is thus required in order to display this content. Content from the following third parties is embedded in our website:
In order to embed videos, we use, inter alia, the provider YouTube. YouTube is operated by YouTube, LLC with head offices in 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube is represented by Google Inc. based in 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. On some of our webpages we use plugins from the provider YouTube in order to show YouTube videos. When you access this website, a connection to the YouTube servers is established in order to play videos. This informs the YouTube server which of our webpages you have visited. If you are logged in to YouTube as a member, YouTube will allocate this information to your personal user account. When using the plugin, for example by clicking the start button on a video, this information will also be allocated to your user account. You can prevent this allocation by logging out of your YouTube user account and other accounts provided by the company YouTube LLC and Google Inc. and deleting the respective cookies of these companies before using our website.
Additional information regarding data processing and data protection notifications from YouTube/Google can be found at www.google.de/intl/de/policies/privacy/
In order to embed videos, we use, inter alia, the provider Vimeo. Vimeo is operated by Vimeo LLC with head offices in 555 West 18th Street, New York, New York 10011.
On some of our webpages we use plugins from the provider Vimeo in order to show Vimeo videos. When you access this website, a connection to the Vimeo servers is established in order to play videos. This informs the Vimeo server which of our webpages you have visited. If you are logged in to Vimeo as a member, Vimeo will allocate this information to your personal user account. When using the plugin, for example by clicking the start button on a video, this information will also be allocated to your user account. You can prevent this allocation by logging out of your Vimeo user account and deleting the respective cookies of this company before using our website.
Additional information regarding data processing and data protection notifications can be found at https://vimeo.com/privacy.
Web font from Fonts.com
For the display of fonts, this website uses web fonts provided by Monotype GmbH (fonts.com / fast.fonts.net). When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. For this purpose, your browser has to establish a direct connection to the servers of fonts.com. Fonts.com is thus informed that our website was accessed via your IP address. Web fonts from fonts.com are used in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to point (f) of Art. 6 (1) GDPR. If your browser does not support web fonts, a standard font is used by your computer. Further information on these web fonts can be found at https://www.fonts.com/info/legal, in the data protection policy of Fonts.com: https://www.fonts.com/info/legal/privacy/ and in the data protection policy of Monotype GmbH: https://www.monotype.com/legal/privacy-policy/
Routine erasure and blocking of personal data
The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.
If the storage purpose is not applicable, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.
Rights of the data subject
Right to confirmation
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed by the ZZF.
Right to information
If such processing has taken place, you can request the following information from the controller:
o the purposes of the processing (see above);
o the categories of personal data concerned (see above);
o the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
o where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
o the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
o the right to lodge a complaint with a supervisory authority;
o where the personal data are not collected from the data subject, any available information as to their source;
o the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have the right to request information as to whether the personal data concerning him or her are transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to be informed of the appropriate guarantees relating to the transfer.
If the data subject wishes to exercise the right to information, he or she can contact an employee of the controller for this purpose at any time.
Right to rectification
You have the right to obtain from the controller without undue delay the rectification or completion of inaccurate personal data concerning you. The controller shall make the rectification without undue delay.
Right to erasure
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
o the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
o the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;
o the data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR;
o the personal data have been unlawfully processed;
o the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
o the personal data of minors under the age of 16 have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
Where the controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure shall not apply to the extent that processing is necessary
o for exercising the right of freedom of expression and information;
o for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
o for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) GDPR as well as Article 9(3) GDPR;
o for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
Right to restriction of processing
You have the right to obtain restriction of processing of personal data concerning you where one of the following applies:
o the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
o the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
o the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
o the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Insofar as one of the above-named conditions applies and a data subject wishes to demand the restriction of processing of personal data stored by the ZZF, they can contact the above-named controllers at any time for this purpose.
Right to data portability
You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
o the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
o the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to information
If you have exercised your right to have the controller rectify, erase or limit the processing of personal data, they are obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction on processing, unless this proves impossible or involves disproportionate effort.
The controller shall inform you about those recipients if you request it.
Right to object
Every data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
In the event of an objection, the ZZF shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to withdraw data protection consent
Every data subject shall have the right granted by the European legislator to withdraw his or her consent to the processing of his or her personal data at any time.
If the data subject wishes to exercise the right to withdraw the consent, he or she can contact an employee of the controller for this purpose at any time.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.