Support

Privacy Policy

Scope

This Privacy Policy applies to our website (correlaid.org) and the social media accounts of CorrelAid e.V. It does not apply to any linked websites or online presences of other providers.

I. General Information

Data Controller

The entity responsible for the processing of personal data within the scope of this Privacy Policy is:

CorrelAid e.V.
Pasteurstr. 34
10407 Berlin
E-Mail: info@correlaid.org

Questions About Data Protection

If you have any questions regarding data protection in connection with our association or our website, please contact our Data Protection Officer:

SPIRIT LEGAL Rechtsanwaltsgesellschaft mbH
Attorney and Data Protection Officer
Peter Hense
Mailing Address:
Data Protection Officer
c/o CorrelAid e.V., Pasteurstr. 34, 10407 Berlin

Contact us via the encrypted online form:
Contact the Data Protection Officer

Security

We have implemented comprehensive technical and organizational measures to protect your personal data from unauthorized access, misuse, loss, and other external threats. To this end, we regularly review our security measures and adapt them to the latest technological standards.

Your Rights

You have the following rights regarding your personal data, which you may exercise by contacting us:

You may exercise your rights by contacting us using the contact information provided in the “Data Controller” section or by contacting the data protection officer we have designated.

If you believe that the processing of your personal data violates data protection law, you also have the right under Article 77 of the GDPR to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, phone: 030/138 89-0, Email: mailbox@datenschutz-berlin.de, https://www.datenschutz-berlin.de.

II. Data Processing on Our Website

1. Use of Our Website

When you visit our website, your browser transmits information to the server to establish a connection and display the content securely, quickly, reliably, and in the correct format on your device. The following data may be processed in this process:

The temporary processing of this data is necessary to technically enable the flow of a website visit and the delivery of the website to your device. The access data is not used to identify individual users and is not combined with other data sources. The legal basis for the processing is Article 6(1)(f) of the GDPR. The processing serves our legitimate interest in displaying the content of our website to you quickly, reliably, and in the correct format; in ensuring the security and functionality of our website; and in being able to investigate and pursue any unlawful attacks on our website. The access data is deleted as soon as it is no longer necessary to achieve the purpose of its processing.

You may object to the processing. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.

2. Contacting Our Association

When you contact our association—for example, via email—we process the personal data you provide in order to respond to your inquiry. The legal basis for this processing is Article 6(1)(f) of the GDPR or Article 6(1)(b) of the GDPR if the purpose of contacting us is to enter into a contract. If your inquiry is intended to lead to the conclusion of a contract, providing your data is required and mandatory. If you do not provide the data, it will not be possible to conclude or perform the contract or to process your inquiry. We will delete the data collected in this context once processing is no longer necessary, or, where applicable, restrict processing to comply with existing mandatory statutory retention requirements.

You may object to the processing. Your right to object applies for reasons arising from your specific situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.

3. Contact Management and Office Software

For our contact management, we use the Customer Relationship Management (CRM) system CiviCRM provided by civiservice.de GmbH, Rheingaustraße 167, 65203 Wiesbaden. civiservice GmbH acts as our data processor on the basis of an agreement pursuant to Article 28 of the GDPR.

For office software, we use the Google Workspace suite, a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Ltd. acts as our data processor on the basis of an agreement pursuant to Article 28 of the GDPR.

4. Offers for Nonprofit Organizations (NPOs)

a) Courses and Workshops

When you register for a course or workshop, it is necessary and mandatory for you to provide personal data such as your first and last name, your organization and professional background, your motivation, and your contact information. The mandatory information required for participation is marked separately; additional information is provided voluntarily. We process your data for the purpose of registration and conducting the course or workshop. The legal basis for the processing is Article 6(1)(b) of the GDPR. Providing your data is necessary and mandatory for participation or for conducting the event. If you do not provide your data, registration and/or participation will not be possible. After you register, we will send you a registration confirmation via email, as well as additional information depending on the event—such as access credentials for the virtual event room. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

For registration, we use the pretix ticketing platform provided by pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg. pretix processes your information on our behalf and based on a so-called data processing agreement in accordance with Art. 28 of the GDPR.

Depending on the type of course or workshop, we use the following additional services to conduct them:

(1) For our online courses, we use the learning platform Moodle, an open-source project hosted for us by eLeDia GmbH | eLearning im Dialog, Wilhelmsaue 37, 10713 Berlin. eLeDia GmbH processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

(2) In some courses, we use the communication and project management platform Slack, a service provided by Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland. Slack processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

(3) We use Zoom, a service provided by Zoom Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, as our video conferencing software. Zoom processes the data you provide on our behalf to enable you to participate in our digital event. We have entered into a data processing agreement with Zoom in accordance with Article 28 of the GDPR. Zoom also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Zoom is certified under this decision. In addition, we have entered into so-called standard contractual clauses with Zoom to ensure that Zoom maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.zoom.com/de/trust/gdpr/.

b) Data Consultation Sessions

If you would like to book a data consultation with us—whether as part of a course or project, or otherwise—it is necessary and mandatory that you provide personal data such as your name, your organization, and your contact information (email address). The legal basis for the processing is Article 6(1)(b) of the GDPR. Providing your data is required and mandatory for participation or for the session to take place. If you do not provide your data, registration and/or the session cannot take place. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

To register for the data consultation sessions, we use the Zeeg service, a product offered by Zeeg GmbH, Friedrichstraße 114a, 10117 Berlin. Zeeg GmbH processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

We use Zoom, a service provided by Zoom Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, as our video conferencing software. Zoom processes the data you provide on our behalf to enable you to participate in our data consultation sessions. We have entered into a data processing agreement with Zoom in accordance with Article 28 of the GDPR. Zoom also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Zoom is certified under this decision. In addition, we have entered into so-called standard contractual clauses with Zoom to ensure that Zoom maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.zoom.com/de/trust/gdpr/.

c) Newsletter for Nonprofit Organizations (NPOs)

In our monthly newsletter for nonprofits, we provide insights into our work: past Data4Good projects, upcoming events and educational workshops, updates from our community, and the latest PR activities. To receive the newsletter, you must provide your email address as well as your first and last name. We process this data for the purpose of sending the newsletter. Additionally, you have the option to provide your organization’s website and its area of activity. We process this data with your consent for analytical purposes to better understand the target groups we reach.

The legal basis for the processing is Article 6(1)(a) of the GDPR. We will delete your data once processing is no longer necessary or, if applicable, restrict processing to comply with existing mandatory legal retention requirements.

You may withdraw your consent(s) to the processing of your personal data in connection with your subscription to our newsletter at any time. You may withdraw your consent to the processing of your data for the purpose of receiving the newsletter either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact information provided under “Data Controller.” You can withdraw your consent to the processing of your optional data by sending us a message using the contact information provided under “Data Controller.” Your withdrawal does not affect the lawfulness of the processing that took place based on your consent up until the time of your withdrawal.

Double-Opt-In Procedure

To document your newsletter subscription and prevent misuse of your personal data, registration for our email newsletter is carried out using the so-called double-opt-in procedure. After you enter the information marked as required, we will send you an email to the address you provided, asking you to explicitly confirm your newsletter subscription by clicking on a confirmation link. In doing so, we process your IP address, the date and time of your newsletter registration, and the time of your confirmation. This ensures that you truly wish to receive our email newsletter. We are legally required to document your consent to the processing of your personal data in connection with your newsletter subscription (Art. 7(1) GDPR). Due to this legal obligation, data processing is carried out on the basis of Art. 6(1)(c) GDPR.

Newsletter Tracking

We also statistically analyze newsletter open rates, the number of clicks on links contained in the newsletters, and reading duration. For this purpose, user behavior within the newsletters we send is analyzed using device-specific information (e.g., the email client used and software settings). For this analysis, the emails we send contain so-called web beacons or tracking pixels.

The legal basis for this processing is Article 6(1)(a) of the GDPR. We will delete your data once processing is no longer necessary or, if applicable, restrict processing to comply with existing mandatory statutory retention requirements.

You may withdraw your consent at any time, either by sending us a message (see the contact information in the “Data Controller” section) or by clicking the unsubscribe link included in the newsletter. This does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of your withdrawal.

Email Marketing Service Provider

We use the external marketing service provider “MailerLite,” a service offered by MailerLite Limited (88 Harcourt Street, Dublin 2, D02 DK18, Ireland), to send the newsletter. MailerLite processes your personal data as our data processor pursuant to a data processing agreement in accordance with Article 28 of the GDPR.

d) Data Projects

When we collaborate on a data project, we process your personal data — such as your name, organization, role within the organization, and contact information — for the purpose of carrying out the project. The legal basis for this processing is Article 6(1)(b) of the GDPR. Providing your data is necessary and mandatory for participation or implementation. If you do not provide your data, registration and/or implementation will not be possible. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

To carry out the project, we use the following services—in addition to contact management and office software (see Section 3):

(1) The communication and project management platform Slack, a service provided by Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland. We have entered into a data processing agreement with Slack in accordance with Article 28 of the GDPR.

(2) For video conferencing, we use Zoom, a service provided by Zoom Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113. Zoom processes the data you provide on our behalf to enable you to participate in our digital event. We have entered into a data processing agreement with Zoom in accordance with Article 28 of the GDPR. Zoom also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Zoom is certified under this decision. In addition, we have entered into so-called standard contractual clauses with Zoom to ensure that Zoom maintains an adequate level of data protection. You can access the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.zoom.com/de/trust/gdpr/.

(3) We use Mural, a service provided by Tactivos, Inc., 611 Gateway Boulevard, Suite 120 - #1015, San Francisco, CA 94080, USA, as a digital whiteboard. Mural processes the data you provide on our behalf. We have entered into a data processing agreement with Mural in accordance with Article 28 of the GDPR. Mural also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Tactivos, Inc. is certified under this decision. In addition, so-called Standard Contractual Clauses have been agreed upon with Mural to ensure that Mural maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.mural.co/terms/data-processing-addendum

5. Volunteer Community

a) Volunteer Network

If you join our volunteer network, it is necessary and mandatory that you provide personal data such as your first and last name and your contact information (e.g., email address). The legal basis for the processing is Article 6(1)(b) of the GDPR. Providing your data is required and mandatory for participation in the volunteer network. If you do not provide your data, participation is not possible. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

We organize our volunteer network via the communication and project management platform Slack, a service provided by Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland. We have entered into a data processing agreement with Slack in accordance with Article 28 of the GDPR.

b) Newsletter for Volunteers

In our volunteer newsletter, you’ll not only receive the monthly CorrelNews—packed with information and updates from our Data4Good community—but also calls for applications for our Data4Good projects and invitations to major CorrelAid events such as our annual community meetup. You can also subscribe to updates from CorrelAidX local groups in your area.

To receive the newsletter, you must provide your email address and first name. We process this data for the purpose of sending you the newsletter. In addition, you have the option to select one or more CorrelAidX local groups. In this case, we will keep you informed about updates from the selected local group(s). You may also optionally provide your gender, year of birth, country, and city. We process this data with your consent for analytical purposes to better understand the composition of our newsletter recipients.

The legal basis for the processing is Article 6(1)(a) of the GDPR. The legal basis for the processing is Article 6(1)(a) of the GDPR. We will delete your data once processing is no longer necessary or, where applicable, restrict processing to comply with existing mandatory statutory retention requirements.

You may withdraw your consent(s) to the processing of your personal data in connection with your subscription to our newsletter at any time. You may withdraw your consent to the processing of your data for the purpose of receiving the newsletter either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact information provided under “Data Controller.” You can withdraw your consent to the processing of your optional data by sending us a message using the contact information provided under “Data Controller.” Your withdrawal does not affect the lawfulness of the processing that took place based on your consent up until the time of your withdrawal.

Double-Opt-In Procedure

To document your newsletter subscription and prevent misuse of your personal data, registration for our email newsletter is carried out using the so-called double-opt-in procedure. After you enter the information marked as required, we will send you an email to the address you provided, asking you to explicitly confirm your newsletter subscription by clicking on a confirmation link. In doing so, we process your IP address, the date and time of your newsletter registration, and the time of your confirmation. This ensures that you truly wish to receive our email newsletter. We are legally required to document your consent to the processing of your personal data in connection with your newsletter subscription (Art. 7(1) GDPR). Due to this legal obligation, data processing is based on Art. 6(1)(c) GDPR.

Newsletter Tracking

We also statistically analyze newsletter open rates, the number of clicks on links contained in the newsletters, and reading duration. For this purpose, user behavior within the newsletters we send is analyzed using device-specific information (e.g., the email client used and software settings). For this analysis, the emails we send contain so-called web beacons or tracking pixels.

The legal basis for this processing is Article 6(1)(a) of the GDPR. We will delete your data once processing is no longer necessary or, if applicable, restrict processing to comply with existing mandatory statutory retention requirements.

You may withdraw your consent at any time, either by sending us a message (see the contact information in the “Data Controller” section) or by clicking the unsubscribe link directly in the newsletter. This does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of your withdrawal.

Email Marketing Service Provider

We use the external marketing service provider “MailerLite,” a service offered by MailerLite Limited (88 Harcourt Street, Dublin 2, D02 DK18, Ireland), to send the newsletter. MailerLite processes your personal data as our data processor pursuant to a data processing agreement in accordance with Art. 28 of the GDPR.

c) Community Workshops and Courses

If you register for one of our community workshops or courses, or if you assist as a tutor in one of our workshops or courses, it is necessary and mandatory that you provide personal data such as your first and last name, your prior knowledge, your motivation, and your contact information. The mandatory information required for participation is marked separately; additional information is provided on a voluntary basis. We process your data for the purpose of registration and conducting the course or workshop. The legal basis for this processing is Article 6(1)(b) of the GDPR. Providing your data is required and mandatory for participation or for the event to take place. If you do not provide your data, registration and/or participation will not be possible. After you register, we will send you a registration confirmation via email, as well as additional information depending on the event—such as access credentials for the virtual event room. We will delete the data collected in this context once storage is no longer necessary, or restrict its processing if statutory retention obligations apply.

For registration, we use the pretix ticketing platform provided by pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg. pretix processes your information on our behalf and based on a so-called data processing agreement in accordance with Art. 28 of the GDPR.

Depending on the type of course or workshop, we use the following additional services to conduct them:

(1) For our online courses, we use the learning platform Moodle, an open-source project hosted for us by eLeDia GmbH | eLearning im Dialog, Wilhelmsaue 37, 10713 Berlin. eLeDia GmbH processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

(2) In some courses, we use the communication and project management platform Slack, a service provided by Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland. Slack processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

(3) We use Zoom, a service provided by Zoom Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, as our video conferencing software. Zoom processes the data you provide on our behalf to enable you to participate in our digital event. We have entered into a data processing agreement with Zoom in accordance with Article 28 of the GDPR. Zoom also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Zoom is certified under this decision. In addition, we have entered into so-called standard contractual clauses with Zoom to ensure that Zoom maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.zoom.com/de/trust/gdpr/.

d) Data Projects

If you apply for one of our data projects, we process your personal data—such as first and last name, gender, language skills and prior knowledge, motivation, and contact information—for the purpose of carrying out the project. The legal basis for this processing is Article 6(1)(b) of the GDPR. The mandatory information required for participation is marked separately; additional information is provided voluntarily. Providing your data is necessary and mandatory for participation or the implementation of the project. If you do not provide your data, you will not be able to apply and/or participate. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

As part of the project, we will share your contact information with the respective project partners.

To carry out the project, we use the following services—in addition to contact management and office software (see Section 3)):

(1) The communication and project management platform Slack, a service provided by Slack Technologies Limited, Salesforce Tower, 60 R801, North Dock, Dublin, Ireland. We have entered into a data processing agreement with Slack in accordance with Article 28 of the GDPR.

(2) For video conferencing, we use Zoom, a service provided by Zoom Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113. Zoom processes the data you provide on our behalf to enable you to participate in our digital event. We have entered into a data processing agreement with Zoom in accordance with Article 28 of the GDPR. Zoom also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Zoom is certified under this decision. In addition, we have entered into so-called standard contractual clauses with Zoom to ensure that Zoom maintains an adequate level of data protection. You can access the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.zoom.com/de/trust/gdpr/.

(3) We use Mural, a service provided by Tactivos, Inc., 611 Gateway Boulevard, Suite 120 - #1015, San Francisco, CA 94080, USA, as a digital whiteboard. Mural processes the data you provide on our behalf. We have entered into a data processing agreement with Mural in accordance with Article 28 of the GDPR. Mural also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Tactivos, Inc. is certified under this decision. In addition, so-called Standard Contractual Clauses have been agreed upon with Mural to ensure that Mural maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.mural.co/terms/data-processing-addendum

(4) To register for our data projects, we use the Kobo Toolbox, hosted by DigitalOcean, LLC, 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, USA. DigitalOcean processes the data you submit on our behalf. We have entered into a data processing agreement with DigitalOcean in accordance with Article 28 of the GDPR. DigitalOcean also processes your personal data in the United States. We have entered into so-called Standard Contractual Clauses with DigitalOcean to ensure that DigitalOcean maintains an adequate level of data protection. You can access the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.digitalocean.com/legal/data-processing-agreement

Depending on the project and project partner, additional services may be used that we cannot specify here at this time.

e) Mentoring

If you’d like to register for our mentoring program as a mentor or mentee, we’ll collect personal data from you via a questionnaire that’s relevant for the matching process. This includes: your name, your email address, your gender (optional), your (desired) area of expertise and industry, your educational background, your language, and additional details regarding the mentoring (offer, preferences). We use this data to match suitable pairs and to put you in contact with one another. We also use your email address to send you invitations to thematic networking events during the mentoring period and to send you an anonymous feedback questionnaire after the mentoring program has concluded.

The legal basis is Article 6(1)(b) of the GDPR. Providing your data is required and mandatory for participation in the mentoring program. If you do not provide your data, participation is not possible. We will delete the data collected in this context once storage is no longer necessary (usually after the mentoring program ends), or restrict processing if statutory retention obligations apply.

6. Events

When you register for one of our events, it is necessary and mandatory for you to provide personal data such as your first and last name and your contact information. The mandatory information required for participation is marked separately; additional information is provided voluntarily. We process your data for the purpose of registration and conducting the event. The legal basis for the processing is Article 6(1)(b) of the GDPR. Providing your data is necessary and mandatory for participation or for conducting the event. If you do not provide your data, registration and/or the event cannot take place. After you register, we will send you a registration confirmation via email, as well as additional information depending on the event. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

For registration, we use the pretix ticketing platform provided by pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg. pretix processes your information on our behalf and based on a so-called data processing agreement pursuant to Art. 28 of the GDPR.

If we take photos, videos, or recordings at the event, we will inform you of this no later than the start of the event. Depending on the event, the legal basis for processing is either your consent pursuant to Article 6(1)(a) of the GDPR or our legitimate interest in documentation and public relations pursuant to Article 6(1)(f) of the GDPR.

7. Partnerships

a) Civic Data Lab

We are a partner of the Civic Data Lab (CDL), a joint project of the Gesellschaft für Informatik e.V., the Deutscher Caritasverband e.V., and CorrelAid e.V. On our website, under “Events,” you’ll also find offerings from the CDL. Information on the processing of your personal data in connection with the CDL can be found at https://civic-data.de/datenschutz/.

b) Data Atlas for Civil Society

We offer data consultation sessions for the Data Atlas for Civil Society, a project of the Bertelsmann Stiftung. If you would like to book a data consultation session with us as part of this project, you are required to provide personal data such as your name, your organization, and your contact information (email address). We process your data exclusively on behalf of the Bertelsmann Foundation based on a data processing agreement in accordance with Art. 28 of the GDPR. Further information—for example, regarding the legal basis or your rights—can be found in the Data Atlas for Civil Society’s privacy policy at https://datenatlas-zivilgesellschaft.de/de/datenschutz.

To register for the data consultation sessions, we use the Zeeg service, a product offered by Zeeg GmbH, Friedrichstraße 114a, 10117 Berlin. Zeeg GmbH processes your data on our behalf based on a so-called data processing agreement in accordance with Article 28 of the GDPR.

c) DatenDialog

Together with the Bertelsmann Stiftung (Carl-Bertelsmann-Str. 256, 33311 Gütersloh, Phone: 0521 / 96535-812, Email: datenschutz@bertelsmann-stiftung.de), we organize the collaborative event series DatenDialog. When you register for an event as part of DatenDialog, it is necessary and mandatory for you to provide personal data such as your first and last name and your contact information. The mandatory information required for participation is marked separately; additional information is provided on a voluntary basis. We process your data for the purpose of registration and conducting the event. The legal basis for this processing is Article 6(1)(b) of the GDPR. Providing your data is necessary and mandatory for participation or for conducting the event. If you do not provide your data, registration and/or the event cannot take place. After you register, we will send you a registration confirmation via email, as well as additional information depending on the event. We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply.

We use the Kobo Toolbox for registration, hosted by DigitalOcean, LLC, 105 Edgeview Drive, Ste. 425, Broomfield, CO 80021, USA. DigitalOcean processes the data you submit on our behalf. We have entered into a data processing agreement with DigitalOcean in accordance with Article 28 of the GDPR. DigitalOcean also processes your personal data in the United States. We have entered into so-called Standard Contractual Clauses with DigitalOcean to ensure that DigitalOcean maintains an adequate level of data protection. You can access the Data Processing Agreement, including a copy of the Standard Contractual Clauses, at https://www.digitalocean.com/legal/data-processing-agreement

We process your personal data jointly with the Bertelsmann Stiftung. For this purpose, we have entered into a joint controller agreement with the Bertelsmann Stiftung, the key provisions of which we provide to you as follows:

You may exercise your rights under Articles 13, 14, and 15 of the GDPR at your discretion with either CorrelAid e.V. or the Bertelsmann Foundation, regardless of the areas of responsibility defined in the joint controller agreement governing their internal relationship.

8. Public Relations

To publicize our association’s offerings and report on our projects, we actively engage in public relations. This includes our website and social media presence (see also Section III), as well as press releases and publications by third parties. To the extent that we process personal data in this context (e.g., photos), we will inform you accordingly and, if necessary, obtain your consent.

To create posts as part of our public relations efforts, we use Canva, a service provided by Canva Pty Ltd, 110 Kippax St, Surry Hills NSW 2010, Australia. Canva processes your personal data on our behalf based on a data processing agreement pursuant to Art. 28 of the GDPR. Canva also processes your personal data in Australia. Standard contractual clauses have been concluded with Canva to ensure that Canva maintains an adequate level of data protection. A copy of the standard contractual clauses is available at https://www.canva.com/policies/data-processing-addendum/.

9. Vimeo

We use the “Vimeo” plugins provided by Vimeo, Inc. (330 West 34th Street, 10th Floor, New York, New York 10001, USA; hereinafter: “Vimeo”) to embed videos on our website. By processing data through these plugins, we aim to embed visual content (“videos”) that we have published on https://www.vimeo.com on this website as well. When you visit one of our pages featuring the Vimeo plugin, a connection is established with Vimeo’s servers. Vimeo uses so-called cookies, which are stored on your device. In the process, information about which website you have visited is transmitted to Vimeo’s server. In addition, some of the data listed in the section “Use of Our Website” is transmitted. This occurs regardless of whether you are logged into your Vimeo user account or do not have a user account. If you are logged in as a Vimeo member, Vimeo associates this information with your personal user account. When you use the plug-in—for example, by playing a video by clicking the play button—this information is also associated with your user account. Vimeo stores your data as usage profiles and processes it—regardless of whether you have a Vimeo user account—for the purposes of advertising, market research, and/or tailoring websites to user needs. With regard to the storage of and access to information on your device, your consent serves as the legal basis pursuant to Section 25(1) of the TDDDG; for further processing, your consent also serves as the legal basis pursuant to Article 6(1)(a) of the GDPR. Vimeo also processes your data on servers in the United States. Standard contractual clauses have been entered into with Vimeo, Inc. to ensure that Vimeo, Inc. maintains an adequate level of data protection.

You can access a copy of the standard contractual clauses at https://www.vimeo.axdraft.com/.

You may withdraw your consent to the processing at any time by reloading the page. You will then be asked for your consent again to play the video. The lawfulness of the processing remains unaffected until the withdrawal is exercised.

10. Donations via our donation form (Twingle)

We use the donation form provided by twingle GmbH, Prinzenallee 74, 13357 Berlin, on our website. twingle GmbH provides the technical platform for the donation process through this donation form. The data you enter when making a donation (e.g., address, bank account information, etc.) is stored by twingle solely for the purpose of processing the donation on servers located in Germany. Twingle processes the information you provide on the donation form on our behalf and based on a so-called data processing agreement in accordance with Article 28 of the GDPR. The legal basis is Article 6(1)(b) of the GDPR. Providing your data in the donation form is mandatory in order to make a donation via the form. If you do not provide us with your data, you will not be able to send us your donation via our donation form. However, if you do not wish to use the form, you are welcome to send us a direct request using the contact information provided under “Data Controller.” We will delete the data collected via the donation form once processing is no longer necessary, or, where applicable, restrict processing to comply with existing mandatory legal retention requirements.

11. Hosting

We use external hosting services provided by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) to provide the following services: infrastructure and platform services, computing capacity, storage resources, and database services, as well as security and technical maintenance services. For these purposes, all data—including the access data mentioned under “Use of Our Website”—that is necessary for the operation and use of our website is processed. The provider processes your personal data as our data processor pursuant to a data processing agreement in accordance with Article 28 of the GDPR. Vercel also processes your personal data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Vercel is certified under this decision. In addition, so-called standard contractual clauses have been concluded with Vercel to ensure that Vercel maintains an adequate level of data protection. You can obtain a copy of the standard contractual clauses at https://vercel.com/legal/dpa.

12. Plausible Web Analytics Software

We use the web analytics software Plausible to improve our website and make it more user-friendly. The provider is “Plausible Insights OÜ” (Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia). Plausible does not collect or store any personal data of individual visitors, but merely analyzes access data in aggregated form. Specifically, Plausible uses the following data categories: request content (specific webpage), referrer URL (the previously visited website), browser, operating system, device type, country, region, and city.

The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interests lie in analyzing and improving our website. Your data is stored for analytical purposes only in aggregated, non-personal form.

You may object to the processing. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.

III. Data Processing on Our Social Media Platforms

1. General

We maintain publicly accessible profiles on various social networks (hereinafter collectively referred to as “our profiles”). Your visit to our profiles triggers a variety of data processing operations. Below, we provide an overview of which of your personal data we collect, use, and store when you visit our profiles. You are not required to provide us with your personal data. However, this may be necessary for certain features of our profiles on social networks. These features will not be available to you, or will be available only to a limited extent, if you do not provide us with your personal data.

When you visit our profiles, your personal data is collected, used, and stored not only by us but also by the operators of the respective social network. This occurs even if you do not have a profile on that social network yourself. The specific data processing activities and their scope vary depending on the operator of the respective social network and are not necessarily transparent to us. For details on the collection and storage of your personal data, as well as the nature, scope, and purpose of its use by the operator of the respective social network, please refer to the privacy policies of the respective operator:

a) Instagram

You can view the privacy policy for the social network Instagram, which is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, at https://privacycenter.instagram.com/policy.

b) Mastodon

You can view the privacy policy for the social network Mastodon at https://masto.ai/privacy-policy.

c) LinkedIn

You can view the privacy policy for the social network LinkedIn, operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, at https://ch.linkedin.com/legal/privacy-policy.

d) Facebook

You can view the privacy policy for the social network Facebook, which is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, at https://www.facebook.com/privacy/policy/?locale=de_DE.

e) YouTube

The privacy policy for the video platform YouTube, operated by YouTube, LLC (headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA; hereinafter: “YouTube”), a subsidiary of “Google” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter: “Google”), can be viewed at https://policies.google.com/privacy?hl=de.

2. Communication with Users

We use our profiles for public relations purposes related to our association and to communicate with and establish contact with nonprofits and potential volunteers. In connection with the use of our profiles, we process personal data such as your name, your profile picture, and the information you have provided through interactive features (e.g., commenting, sharing, and rating). The legal basis for operating our profiles and processing personal data is Article 6(1)(f) of the GDPR. Our legitimate interest lies in promoting our association.

When you visit our profiles, data may be processed outside the European Union, particularly in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. The aforementioned social media providers are certified under this decision. You can find further information about any data transfers to a third country and the relevant legal basis in the privacy policies of the social networks.

We have no influence over the retention period of your personal data that you have published on our profiles. We store your data until the purpose of the processing has been fulfilled, or we restrict processing if statutory retention obligations apply. Further information on data protection and the retention period can be found in the privacy policies of the social networks linked above.

You may object to the processing. Your right to object applies for reasons arising from your specific situation. You can submit your objection to us using the contact information provided in the “Data Controller” section.

3. Statistical Information and Joint Responsibility with Social Networks

The operators of the social networks on which we maintain our profiles provide us with anonymized statistical analyses of interactions with our profiles. We use this data to improve the user experience on our profiles. It is not possible for us to identify individual users or access individual user profiles. Our legal basis for processing the information from the statistical analysis is Article 6(4) of the GDPR in conjunction with Article 6(1), first sentence, letter f) of the GDPR. Our legitimate interest in the statistical analysis lies in improving and tailoring our advertising measures based on the information collected and in gaining a better understanding of user interaction on our profiles.

You may object to this processing. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.

According to the case law of the European Court of Justice, the use of statistical analyses may, under certain circumstances, be classified as data processing under joint responsibility of the social network operator and the profile owner. Against this background, we have entered into a joint responsibility agreement pursuant to Art. 26 of the GDPR with the following social network operators:

a) LinkedIn

You can view the Joint Controller Agreement for LinkedIn Page Insights at https://legal.linkedin.com/pages-joint-controller-addendum.

b) Facebook

You can view the Joint Controller Agreement for Instagram and Facebook Page Insights at https://www.facebook.com/legal/controller_addendum.

4. Social Media Management

For our social media management, we use Buffer, a service provided by Buffer Inc., 2443 Fillmore St #380-7163, San Francisco, CA 94115. Buffer also processes your personal data in the United States. The European Commission has issued an adequacy decision regarding data transfers to the United States, and Buffer is certified under this decision. In addition, so-called standard contractual clauses have been agreed upon with Buffer to ensure that Buffer maintains an adequate level of data protection. You can obtain the Data Processing Agreement, including a copy of the standard contractual clauses, at https://dochub.com/buffer/Xv7zYW5RnzkbEZR2A9egxG/buffer-data-processing-addendum.

Translated with the help of DeepL

Copyright by Spirit Legal

Newsletter