Privacy Policy

Preamble

The counselling centre elly – Hatespeech Beratung in Thüringen is operated by re:solut – Rundum engagiert: solidarische Unterstützung in Thüringen e.V. The association is an organisation of the Evangelical Church in Central Germany (hereinafter “EKM”). We take the protection of your personal data and the legal obligations designed to ensure this protection very seriously. The legal requirements demand comprehensive transparency regarding the processing of personal data. Only if the processing is comprehensible to you as the data subject are you sufficiently informed about the purpose, scope and use of your data.

With this privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process, for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).

Status: 3 February 2025

Controller

re:solut – Rundum engagiert: solidarische Unterstützung in Thüringen e.V.
Juri-Gagarin-Ring 96/98
99084 Erfurt
Authorised representative: Franz Zobel
Email: info@ezra.de
Legal notice: https://ezra.de/impressum/

Contact Data Protection Officer

re:solut – Rundum engagiert: solidarische Unterstützung in Thüringen e.V.
David Rolfs
datenschutz@re-solut.de
Juri-Gagarin-Ring 96/98
99084 Erfurt

Overview of Processing

The following overview summarises the types of data processed, the purposes of processing and the data subjects involved.

Types of data processed

• Inventory data
• Employee data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and procedural data
• Social data
• Applicant data
• Image and video recordings
• Audio recordings
• Log data
• Performance and behavioural data
• Member data
• Working-time data
• Creditworthiness data
• Salary data

Special categories of data

• Health data
• Religious or ideological beliefs

Categories of data subjects

• Service recipients (e.g. counselling clients) and clients
• Prospective customers
• Communication partners
• Users
• Business and contractual partners
• Persons depicted
• Donors
• Third parties

Purposes of processing

• Provision of contractual services and performance of contractual obligations
• Communication
• Security measures
• Direct marketing
• Reach measurement
• Office and organisational procedures
• Conversion measurement
• Administrative and organisational procedures
• Application procedures
• Feedback
• Marketing
• User profile creation
• Provision and usability of our online offering
• IT infrastructure
• Donation collection / fundraising
• Public relations and informational purposes
• Financial and payment management
• Sales promotion
• Business processes and administrative procedures

Legal Bases

Relevant legal bases under the GDPR:
Below is an overview of the GDPR legal bases we rely on when processing personal data. Please note that national data protection laws of your or our state of residence may also apply. If specific legal bases are applicable in individual cases, we will inform you accordingly.

• Consent (Art. 6(1)(a) GDPR) – You have given consent for one or more specific purposes.
• Contract fulfilment and pre-contractual measures (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract or for pre-contractual steps.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for legitimate interests pursued by us or a third party, unless overridden by your interests or fundamental rights.
• Application procedure (Art. 6(1)(b) GDPR and Art. 9 GDPR) – Special provisions for processing sensitive data during application processes.
• Processing special categories of personal data in health, professional or social security contexts (Art. 9(2)(h) GDPR)
• Membership contract (Art. 6(1)(b) GDPR)

National privacy laws (Germany)

In addition to the GDPR, the German Federal Data Protection Act (BDSG) applies, along with state data protection laws.

Security Measures

We take appropriate technical and organisational security measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope and purpose of processing.

TLS/SSL encryption (HTTPS)

To protect user data transmitted via our online services, we use TLS/SSL encryption technology. HTTPS indicates secure encrypted transmission.

Transfer of Personal Data

We may transfer personal data to other entities, companies, or persons. This includes IT service providers or providers of integrated services and content.

Data transfer within our organisational group

Data may be shared with other organisational units or companies within our group based on legitimate interests or contractual necessity.

International Data Transfers

Transfers to third countries (outside EU/EEA) only occur if:

• an adequacy decision exists (Art. 45 GDPR),
• Standard Contractual Clauses apply (Art. 46 GDPR),
• explicit consent is given,
• or a legal/contractual obligation applies.

References to the EU Commission’s information portal are provided.
We also indicate which providers are certified under the EU–US Data Privacy Framework (DPF).

General Information on Data Storage and Deletion

We delete personal data in accordance with legal requirements once consent is withdrawn or the legal basis no longer exists. Exception: statutory retention periods require longer storage.

Retention periods include:

• 10 years – accounting records, annual financial statements, etc.
• 8 years – booking documents (e.g. invoices)
• 6 years – business correspondence
• 3 years – limitation period for legal claims

More detailed rules apply depending on processing context.

Rights of Data Subjects

In accordance with Art. 15–21 GDPR, you have the following rights:

• Right to object
• Right to withdraw consent
• Right of access
• Right to rectification
• Right to erasure or restriction
• Right to data portability
• Right to lodge a complaint with a supervisory authority

Business Processes and Procedures

Personal data of service recipients (e.g. counselling clients) and clients are processed in the context of contractual and pre-contractual relationships. This includes support for internal processes such as customer management, accounting, payment handling, and project management.

Data may be passed on to third parties if necessary for processing or required by law. Data is deleted after statutory periods expire.

Types of data processed

(inventory data, payment data, contact data, content data, contract data, log data, usage data, creditworthiness data, meta/communication data)

Data subjects

Service recipients, clients, prospective customers, communication partners, business partners, third parties, employees, and users of online services.

Purposes

Contract fulfilment, administrative processes, communication, public relations, credit assessment, financial management, security, IT infrastructure.

Legal bases

• Contract performance (Art. 6(1)(b) GDPR)
• Legitimate interests (Art. 6(1)(f) GDPR)
• Legal obligations (Art. 6(1)(c) GDPR)

Further Information on Processing Activities, Procedures and Services

Retention and Deletion of Data

The following general retention periods apply to the storage and archiving of data under German law:

10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the working instructions and other organisational documents required for their understanding (§ 147 (1) No. 1 in conjunction with (3) AO; § 14b (1) UStG; § 257 (1) No. 1 in conjunction with (4) HGB).

8 years – Accounting records such as invoices and cost receipts (§ 147 (1) Nos. 4 and 4a in conjunction with (3) sentence 1 AO; § 257 (1) No. 4 in conjunction with (4) HGB).

6 years – Other business documents: received commercial or business correspondence, copies of sent commercial or business correspondence, and other documents relevant for taxation, such as hourly wage slips, cost accounting sheets, calculation documents, price lists, as well as payroll documents (if they are not already accounting documents) and cash register receipts (§ 147 (1) Nos. 2, 3, 5 in conjunction with (3) AO; § 257 (1) Nos. 2 and 3 in conjunction with (4) HGB).

3 years – Data required to take into account potential warranty or compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on past business experience and industry practices. These are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Under the GDPR, you have various rights as a data subject, particularly those set out in Articles 15 to 21 GDPR:

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing; this also applies to profiling insofar as it is connected to direct marketing.

Right to Withdraw Consent

You have the right to withdraw consent at any time.

Right of Access

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to obtain access to this data along with further information and a copy of the data in accordance with legal requirements.

Right to Rectification

You have the right to request the completion of incomplete data or the correction of inaccurate data concerning you, in accordance with legal requirements.

Right to Erasure and Restriction of Processing

You have the right to request the immediate deletion of personal data concerning you, or alternatively to request a restriction of processing, in accordance with legal requirements.

Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transfer to another controller, in accordance with legal requirements.

Right to Lodge a Complaint with a Supervisory Authority

In accordance with legal requirements, and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority—particularly in the Member State of your habitual residence, your place of work, or the place of the alleged infringement—if you consider that the processing of your personal data infringes the GDPR.

Business Processes and Procedures

Personal data of service recipients (e.g. clients seeking advice) and commissioning parties—including customers, clients, or in special cases mandate holders, patients, business partners, and other third parties—are processed within the scope of contractual or comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payment transactions, accounting, and project management.

The data collected serves to fulfil contractual obligations and ensure efficient business processes. This includes handling business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports the protection of the controller’s rights and facilitates administrative and organisational tasks.

Personal data may be transferred to third parties if necessary to achieve the aforementioned purposes or to comply with legal obligations. After the expiry of statutory retention periods, or when the purpose of processing no longer applies, the data is deleted. This also includes data which must be stored longer due to tax or statutory documentation requirements.

Types of Data Processed

• Inventory data (e.g. full name, residential address, contact details, customer number)
• Payment data (e.g. bank details, invoices, payment history)
• Contact data (e.g. postal and email addresses, telephone numbers)
• Content data (e.g. written or visual messages and contributions, authorship information, timestamps)
• Contract data (e.g. contractual subject matter, duration, customer category)
• Log data (e.g. login logs, retrieval of data, access times)
• Usage data (e.g. page views, time spent, click paths, device types, operating systems, interaction with content)
• Creditworthiness data (e.g. credit score received, estimated default probability, risk assessment based on this, historical payment behaviour)
• Meta-, communication-, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons)

Categories of Data Subjects

• Service recipients (e.g. clients seeking advice) and commissioning parties
• Prospective clients
• Communication partners
• Business and contractual partners
• Third parties
• Employees (e.g. staff, applicants, temporary workers, other personnel)
• Users (e.g. website visitors, users of online services)

Purposes of Processing

• Provision of contractual services and fulfilment of contractual obligations
• Office and organisational procedures
• Business processes and economic procedures
• Communication
• Public relations
• Sales and promotion
• Assessment of creditworthiness
• Financial and payment management
• Security measures
• IT infrastructure (operation and provision of IT systems and technical devices)

Retention and Deletion

Deletion in accordance with the details in the section “General Information on Data Storage and Deletion”.

Legal Bases

• Contract fulfilment and pre-contractual inquiries (Art. 6(1)(b) GDPR)
• Legitimate interests (Art. 6(1)(f) GDPR)
• Legal obligation (Art. 6(1)(c) GDPR)

Further Notes on Processing Activities, Procedures, and Services

Contact Management and Maintenance

Processes required for organising, maintaining, and securing contact information (e.g. setting up and maintaining a central contact database, regular updates, ensuring data integrity, implementing data protection measures, access control, backups, staff training, review of communication history).
Legal bases: Contract fulfilment (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

General Payment Transactions

Processes required for executing payment transactions, monitoring bank accounts, and controlling payment flows (e.g. preparing and reviewing transfers, managing direct debit payments, reviewing account statements, monitoring incoming and outgoing payments, managing returned debits, account reconciliation, cash management).
Legal bases: Contract fulfilment, Legitimate interests

Accounting, Accounts Payable, Accounts Receivable

Processes required for capturing, managing, and reviewing business transactions (e.g. preparing incoming and outgoing invoices, managing outstanding receivables and payables, managing reminders, account reconciliation).
Legal bases: Contract fulfilment, Legal obligation, Legitimate interests

Financial Accounting and Taxes

Processes for managing financial transactions and tax obligations (e.g. posting transactions, preparing quarterly and annual financial statements, handling payment processes, tax consulting, filing tax returns).
Legal bases: Contract fulfilment, Legal obligation, Legitimate interests

Public Relations

Processes required for PR and organisational communication (e.g. developing communication strategies, PR campaigns, preparing press releases, maintaining media contacts, monitoring media coverage, organising press conferences or public events, crisis communication, developing content for social media and websites, managing corporate branding).
Legal basis: Legitimate interests

Guest Wi-Fi

Processes for setting up, operating, maintaining and monitoring guest Wi-Fi networks (e.g. installing access points, managing guest access, monitoring connections, ensuring network security, troubleshooting, updating network software, compliance with data protection requirements).
Legal bases: Contract fulfilment, Legal obligation, Legitimate interests

Business Services

We process the data of our contractual and business partners, e.g., customers and prospective clients (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships, as well as associated measures, and for communication purposes with contractual partners (including pre-contractual measures), such as responding to inquiries.

We use this data to fulfill our contractual obligations. These obligations particularly include the provision of the agreed services, any obligations to provide updates, and remedies in cases of warranty issues or other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations, as well as for organizational purposes. We also process the data on the basis of our legitimate interests in proper and efficient business management and in implementing security measures to protect our contractual partners and our operations from misuse, risks to their data, confidential information, and rights (e.g., by involving telecommunications, transportation, and auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In accordance with applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or for fulfilling legal obligations. Contractual partners are informed about additional types of processing—e.g., for marketing purposes—within this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or during the data collection process—e.g., in online forms, through special labels (such as colors) or symbols (such as asterisks), or in person.

We delete the data after the expiration of statutory warranty periods and comparable obligations, generally after four years, unless the data is stored in a customer account (e.g., for retention due to legal archiving obligations, typically ten years for tax purposes). Data provided to us within the framework of an assignment by a contractual partner is deleted in accordance with the legal requirements and generally after the assignment has ended.

Types of data processed:

Inventory data (e.g., full name, home address, contact information, customer number); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses, telephone numbers); contract data (e.g., contract subject, duration, customer category).
Special categories of personal data: Health data.
Data subjects: Service recipients (e.g., clients in counseling) and clients; prospective clients; business and contractual partners; education and training participants.
Purposes of processing: Provision and fulfillment of contractual services; communication; office and organizational procedures; administrative procedures; business processes and economic procedures.
Retention and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion.”
Legal bases: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further Information on Processing Operations, Procedures, and Services

Education and Training Services

We process the data of participants in our educational and training programs (“trainees”) to provide our training services. The type, scope, purpose, and necessity of the processed data depend on the underlying contractual and training relationship. Processing includes performance assessments and evaluation of our services and those of the instructors.

In the course of this activity, we may also process special categories of data, particularly health data, as well as data revealing ethnic origin, political opinions, religious or philosophical beliefs. Where necessary, we obtain the trainees’ explicit consent and otherwise process special categories of data only to the extent necessary for providing training services, for health or social care purposes, or to protect vital interests.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Online Courses and Online Training

We process the data of participants in our online courses and online training programs (“participants”) to provide our services. The processed data, type, scope, and necessity depend on the contractual relationship. Data includes information about attended courses and services, and where part of the offering, personal inputs and results. Processing includes performance evaluations and assessment of our services and those of instructors.
Depending on the course structure, additional processes may include attendance tracking, progress monitoring (e.g., tests and assessments), and analysis of platform interactions (e.g., forum posts, submissions).
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Therapeutic Services

We process the data of our clients, prospective clients, and other principals or contractual partners (“clients”) to provide our services. The type, scope, and purpose of the processed data depend on the underlying contractual and client relationship.

We may also process special categories of data, especially health data, potentially including data related to sexual life or orientation, as well as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Where necessary, we obtain explicit consent unless processing is required for the client’s health, the data is publicly available, or legally permitted.

If necessary for fulfilling the contract, protecting vital interests, or required by law, or if consent is given, we may disclose client data to third parties or agents, such as authorities, medical facilities, laboratories, billing agencies, or service providers in IT, office, or comparable fields.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Payment Procedures

In the context of contractual or other legal relationships, due to legal obligations, or based on our legitimate interests, we offer efficient and secure payment options and use banks, financial institutions, and other service providers (“payment service providers”).

Payment service providers process inventory data (e.g., name, address), bank data (e.g., account numbers, credit card numbers), passwords, TANs, checksums, as well as contract-, transaction-, and recipient-related information. This data is necessary to process transactions. Entered payment data is processed exclusively by these providers; we do not receive account or credit card details, only confirmation or rejection notices.

Payment service providers may transmit data to credit agencies to verify identity and creditworthiness. Please refer to the payment providers’ terms and privacy notices for further details and information on exercising rights (withdrawal, access, etc.).

Types of data processed: Inventory data; payment data; contract data; usage data; meta-, communication-, and procedural data; contact data.
Data subjects: Service recipients; clients; business and contractual partners; prospective clients.
Purposes: Provision of contractual services; business and administrative processes.
Retention and deletion: According to the section “General Information on Data Storage and Deletion.”
Legal bases: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional Information on Procedures and Services

Google Pay
Payment services (technical integration of online payment methods).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Mastercard
Payment services (technical integration of online payment methods).
Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

PayPal
Payment services (including PayPal, PayPal Plus, Braintree).
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Visa
Payment services (technical integration of online payment methods).
Provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, UK.
Legal basis: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).
Basis for third-country transfers: Adequacy decision (UK).

Provision of the Online Offer and Web Hosting

We process the data of users in order to make our online services available to them. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Types of data processed:
Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and features);
Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved);
Log data (e.g., logfiles relating to logins or the retrieval of data or access times);
Content data (e.g., textual or visual messages and contributions, including related information such as authorship details or time of creation).

Data subjects:
Users (e.g., website visitors, users of online services).

Purposes of processing:
Provision of our online offer and user-friendliness;
Information technology infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.);
Security measures;
Provision of contractual services and fulfillment of contractual obligations.

Retention and deletion:
Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion.”

Legal bases:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional Information on Processing Operations, Procedures, and Services

Provision of the Online Offer on Rented Storage Space

For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a “web host”).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Collection of Access Data and Logfiles

Access to our online offer is logged in the form of so-called “server logfiles.” Server logfiles may include the addresses and names of retrieved web pages and files, date and time of access, transferred data volumes, information on successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider.

Server logfiles may be used for security purposes—for example, to prevent server overload (especially in cases of abusive attacks such as DDoS attacks)—and to ensure the server’s load capacity and stability.

Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Deletion of data: Logfile information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidence purposes is exempt from deletion until the respective incident has been fully resolved.

Content Delivery Network

We use a “Content Delivery Network” (CDN). A CDN is a service that helps deliver the content of an online offer—particularly large media files such as graphics or program scripts—faster and more securely using regionally distributed and internet-connected servers.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Service Providers

DomainFactory
Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacity).
Provider: Domainfactory GmbH, c/o WeWork, Neuturmstrasse 5, 80331 Munich, Germany
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: domainfactory.de
Privacy policy: df.eu/de/datenschutz
Data processing agreement: df.eu/de/support/formulare/

Hetzner
Services in the field of providing IT infrastructure and related services (e.g., storage space and/or computing capacities).
Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: hetzner.com
Privacy policy: hetzner.com/de/rechtliches/datenschutz
Data processing agreement: docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/

1&1 IONOS
Services for providing IT infrastructure and related services.
Provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: ionos.de
Privacy policy: ionos.de/terms-gtc/terms-privacy
Data processing agreement: ionos.de/hilfe/datenschutz/…

DigitalOcean
Content Delivery Network (CDN) services enabling faster and more secure delivery of large media files.
Provider: DigitalOcean, LLC, 101 Avenue of the Americas, New York, NY 10013, USA
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: digitalocean.com
Privacy policy: digitalocean.com/legal/privacy-policy
Data processing agreement: digitalocean.com/legal/data-processing-agreement
Basis for third-country transfers: Data Privacy Framework (DPF)

Plesk
IT infrastructure services and related offerings.
Provider: Plesk International GmbH, Vordergasse 59, 8200 Schaffhausen, Switzerland
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: parallels.com
Privacy policy: plesk.com/legal/#privacy-policy
Data processing agreement: Provided by the service provider
Basis for third-country transfers: Adequacy decision (Switzerland)

gstatic.com
CDN services supporting fast and secure delivery of website content.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: google.de
Privacy policy: policies.google.com/privacy

JSDelivr
CDN services for efficient delivery of media and files, especially under high load.
Provider: ProspectOne, Królewska 65A/1, 30-081 Kraków, Poland
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: jsdelivr.com
Privacy policy: jsdelivr.com/terms/privacy-policy

mailbox.org
Email hosting services.
Provider: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: mailbox.org
Privacy policy: mailbox.org/de/datenschutz
Data processing agreement: Provided by the service provider

Raidboxes
IT infrastructure services and related offerings.
Provider: RAIDBOXES GmbH, Hafenstraße 32, 48153 Münster, Germany
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: raidboxes.io
Privacy policy: raidboxes.io/legal/privacy
Data processing agreement: helpcenter.raidboxes.de/…

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within existing user or business relationships, the information provided by the requesting individuals is processed to the extent necessary to respond to the inquiries and any requested measures.

Types of data processed:
Inventory data (e.g., full name, home address, contact information, customer number);
Contact data (e.g., postal and email addresses, telephone numbers);
Content data (e.g., written or visual messages and related information such as authorship details or time of creation);
Usage data (e.g., page views, dwell time, click paths, frequency and intensity of use, device types, operating systems, interactions with content and features);
Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).

Data subjects:
Communication partners.

Purposes of processing:
Communication;
Organizational and administrative procedures;
Feedback (e.g., collecting feedback via an online form);
Provision of our online offer and user-friendliness.

Retention and deletion:
Deletion according to the section “General Information on Data Storage and Deletion.”

Legal bases:
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR);
Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Additional Notes on Processes, Procedures, and Services

Contact Form
When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us for the purpose of responding to and handling the respective inquiry. This typically includes information such as name, contact details, and, where relevant, additional information provided to us and required for proper handling. We use this data exclusively for the stated purpose of communication.
Legal bases: Contract fulfillment and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Contact Form 7
Management of contact inquiries and communication.
Provider: Rock Lobster, LLC
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
Website: contactform7.com
Additional information: Operated within a self-hosted environment.

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications provided by other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (collectively referred to as “conferences”). When selecting the conference platforms and their services, we comply with applicable legal requirements.

Data processed by conference platforms

When participating in a conference, conference platforms process the following personal data of participants. The scope of processing depends on which data is required for a specific conference (e.g., login details or real names) and which optional information participants choose to provide. In addition to processing for hosting the conference, participant data may also be processed by the platforms for security or service optimization purposes.

The data processed may include: personal data (first and last name), contact details (email address, telephone number), access data (access codes or passwords), profile photos, information about professional roles/functions, IP address of the internet connection, information about participants’ devices, operating systems, browsers and their technical and language settings, information about communication content (chat entries, audio and video data), and usage of available functions (e.g., polls). Content of communications is encrypted to the extent technically provided by the conference platform.

If participants are registered as users with the conference platform, additional data may be processed according to the agreement with the respective platform provider.

Logging and recordings

If text entries, participation results (e.g., polls), or video or audio recordings are logged, participants will be informed transparently in advance and — where required — asked for their consent.

Data protection measures for participants

Please review the privacy notices of the respective conference platforms for details on the processing of your data, and choose the security and privacy settings that are optimal for you. During video conferences, please ensure that your background is protected (e.g., by informing cohabitants, closing doors, or — where technically available — activating background-blurring functions). Links to conference rooms and login credentials must not be shared with unauthorized third parties.

Legal bases

Where we process user data ourselves in addition to the conference platforms, and users are asked for consent to use conference platforms or specific features (e.g., consent to recordings), the legal basis is that consent. Furthermore, processing may be necessary to fulfill contractual obligations (e.g., participant lists, documentation of meeting results). Otherwise, data is processed based on our legitimate interests in efficient and secure communication with our communication partners.

Types of data processed

Inventory data; contact data; content data; usage data; image and/or video recordings; audio recordings; log data; meta, communication, and procedural data.

Data subjects:

Communication partners; users (e.g., website visitors, users of online services); individuals depicted in audio/video recordings.

Purposes of processing:

Provision of contractual services; communication; office and administrative processes; provision of our online offer and user-friendliness.

Retention and deletion:

Deletion according to the section “General Information on Data Storage and Deletion.”

Legal basis:

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional Information on Platforms

Microsoft Teams

Audio and video conferencing, chat, file sharing, Office 365 integration, real-time collaboration, calendar features, task management, screen sharing, optional recording.
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Legal basis: Legitimate interests
Website: microsoft.com/microsoft-teams
Privacy policy: privacy.microsoft.com
Security information: microsoft.com/trustcenter
Third-country transfer basis: Data Privacy Framework (DPF)

Zoom

Video conferences, online meetings, webinars, screen sharing, optional recordings, chat, calendar and app integrations.
Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA
Legal basis: Legitimate interests
Website: zoom.us
Privacy policy: explore.zoom.us/privacy
Data Processing Agreement: explore.zoom.us/docs/...
Third-country transfer basis: Data Privacy Framework (DPF)

BigBlueButton

Open-source web conferencing system, including integrations with major learning and content management systems.
Provider: Operation on servers and/or computers under our own data protection responsibility.
Legal basis: Legitimate interests
Website: bigbluebutton.org

Cloud Services

We use software services accessible over the internet and operated on the servers of their providers (“cloud services” or “Software as a Service”) for storing and managing content (e.g., document storage and management, sharing documents and information with specific recipients, or publishing content).

Personal data may be processed and stored on the servers of cloud service providers if it forms part of communications with us or is otherwise processed by us as described in this privacy policy. This may include inventory and contact data, data relating to processes, contracts, or other procedures and their content. Cloud providers may also process usage and metadata for security or service optimization purposes.

Where we use cloud services to provide forms or documents to other users or publicly accessible websites, providers may store cookies on users’ devices for web analytics or remembering user settings (e.g., media playback).

Types of data processed:

Inventory data; contact data; content data; usage data.

Data subjects:

Interested parties; communication partners; business and contractual partners.

Purposes:

Office and administrative processes; IT infrastructure (operation and provision of IT systems and technical devices such as computers, servers, etc.).

Retention and deletion:

According to “General Information on Data Storage and Deletion.”

Legal basis:

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Cloud Service Providers

mailbox.org (Cloud storage)

Provider: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany
Legal basis: Legitimate interests
Website: mailbox.org
Privacy policy: mailbox.org/de/datenschutzerklaerung

Microsoft Cloud Services

Cloud storage, cloud infrastructure, cloud-based software
Provider: Microsoft Ireland Operations Limited
Legal basis: Legitimate interests
Website: microsoft.com
Privacy policy: privacy.microsoft.com
Security: microsoft.com/trustcenter
DPA: microsoft.com/licensing/docs/...
Third-country transfer basis: DPF

Nextcloud

Cloud storage, cloud infrastructure, cloud-based applications
Provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany
Legal basis: Legitimate interests
Website: nextcloud.com
Privacy policy: nextcloud.com/privacy

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (“newsletters”) only with the consent of the recipients or based on a legal permission. If specific content is mentioned during newsletter registration, such content is decisive for the user’s consent. Usually, providing an email address is sufficient; however, we may request a name for personalized addressing or additional information necessary for the newsletter’s purpose.

Deletion and restriction of processing

We may store unsubscribed email addresses for up to three years based on our legitimate interests, to prove that consent previously existed. Processing is limited to the purpose of possible defense against claims. Individual deletion requests are possible at any time if former consent is confirmed. Where objections must be observed permanently, we store the email address solely on a “blocklist.”

Logging of the registration process is based on our legitimate interests in proving its lawful execution. If we use a service provider to send emails, this is based on our legitimate interests in an efficient and secure email delivery system.

Content of newsletters

The newsletter is sent twice a year and informs about our publications, events, and current developments such as legal proceedings and right-wing attacks.

Types of data processed:

Inventory data; contact data; meta and communication data; usage data.

Data subjects:

Communication partners.

Purposes:

Direct marketing; reach measurement.

Legal bases:

Consent (Art. 6 para. 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Opt-out

You may unsubscribe or withdraw your consent at any time. A link to unsubscribe is included in every newsletter, or you may contact us using the methods provided above (preferably via email).

Service provider: Brevo (formerly Sendinblue)

Email delivery and automation services
Provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany
Legal basis: Legitimate interests
Website: brevo.com
Privacy policy: brevo.com/legal/privacypolicy
Data Processing Agreement: Provided by the service provider

Promotional Communication via Email, Post, Fax, or Telephone

We process personal data for the purpose of promotional communication via various channels (email, telephone, post, fax), in accordance with legal requirements.

Recipients may revoke consent or object to such communication at any time.

Following revocation or objection, we retain the data required to prove prior authorization for up to three years based on our legitimate interests. Processing is restricted to defense against potential claims. Based on our legitimate interest in preventing renewed contact, we also store the data necessary to maintain a permanent block (e.g., email address, telephone number, name).

Types of data processed:

Inventory data; contact data; content data.

Data subjects:

Communication partners.

Purposes:

Direct marketing; marketing activities; sales promotion.

Retention and deletion:

According to “General Information on Data Storage and Deletion.”

Legal bases:

Consent (Art. 6 para. 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offerings and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. Using reach analysis, for example, we can determine at which times our online offerings or their functions or content are most frequently used, or invite users to reuse them. Likewise, it allows us to track which areas require optimization.

In addition to web analysis, we can also use testing methods to, for example, test and optimize different versions of our online offerings or their components.

Unless otherwise specified below, profiles—that is, data consolidated for a usage session—may be created for these purposes, and information can be stored in a browser or on a device and later retrieved. The collected data includes, in particular, visited websites and the elements used there, as well as technical information such as the browser used, the computer system used, and usage times. If users have consented to the collection of their location data either to us or to the providers of the services we use, the processing of location data is also possible.

Furthermore, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no personal data of users (such as email addresses or names) are stored during web analysis, A/B testing, and optimization; only pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the respective processes.

Notes on Legal Bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., the interest in efficient, economical, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

Types of Data Processed: Usage data (e.g., page views and duration, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, involved persons).
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Reach measurement (e.g., access statistics, identification of recurring visitors). Profiles with user-related information (creation of user profiles).
Retention and Deletion: Deletion according to the section "General Information on Data Storage and Deletion." Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of two years).
Security Measures: IP masking (pseudonymization of the IP address).
Legal Bases: Consent (Art. 6(1) sentence 1(a) GDPR), legitimate interests (Art. 6(1) sentence 1(f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

• Statify: Collection and display of visitor statistics without storing personal data. Counts page views and shows the number of visits for individual pages. No cookies or third-party services are used; service provider: execution on servers and/or computers under our own data protection responsibility; legal basis: legitimate interests (Art. 6(1) sentence 1(f) GDPR). Website: https://pluginkollektiv.org/.

Social Media Presences

We maintain online presences within social networks and process user data in this context to communicate with users active there or to provide information about us.

We note that user data may be processed outside the European Union. This may pose risks for users, for example, because enforcing users’ rights could be more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, user profiles may be created based on usage behavior and resulting interests. These profiles may in turn be used to display advertisements within and outside the networks that presumably match the users’ interests. Therefore, cookies are usually stored on users’ devices, which store usage behavior and user interests. In addition, user profiles may contain data independent of the devices used by users (especially if they are members of the respective platforms and logged in there).

For a detailed presentation of the respective processing methods and opt-out options, we refer to the privacy policies and information of the operators of the respective networks.

Even in the case of requests for information and the assertion of data subject rights, we note that these are most effectively exercised with the providers themselves. Only the latter have access to the user data and can take direct measures and provide information. If you still need assistance, you may contact us.

Types of Data Processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or visual messages and posts and related information, such as authorship or creation time); usage data (e.g., page views and duration, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, involved persons).
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Communication; feedback (e.g., collecting feedback via online forms); public relations.
Retention and Deletion: Deletion according to the section "General Information on Data Storage and Deletion."
Legal Bases: Legitimate interests (Art. 6(1) sentence 1(f) GDPR); consent (Art. 6(1) sentence 1(a) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

• Instagram: Social network that allows sharing photos and videos, commenting on and favoriting posts, sending messages, subscribing to profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6(1) sentence 1(f) GDPR); website: https://www.instagram.com; privacy policy: https://privacycenter.instagram.com/policy/. Third-country transfer basis: Data Privacy Framework (DPF).
• Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (“Fanpage”). This includes information on the types of content users view or interact with or actions taken by them, as well as information on devices used (e.g., IP addresses, OS, browser type, language settings, cookies). Facebook also collects and uses data to provide analysis services (“Page Insights”) for page operators. We have a special agreement with Facebook covering these matters. Users’ rights are not restricted. Further information: https://www.facebook.com/legal/terms/information_about_page_insights_data. Third-country transfer basis: Data Privacy Framework (DPF).
• TikTok: Social network enabling sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to accounts; service providers: TikTok Technology Limited (Dublin) and TikTok Information Technologies UK Limited (London); legal basis: consent (Art. 6(1) sentence 1(a) GDPR); website: https://www.tiktok.com; privacy policy: https://www.tiktok.com/de/privacy-policy. Third-country transfer basis: Standard Contractual Clauses.
• X (formerly Twitter): Social network; service provider: Twitter International Company, Dublin; legal basis: legitimate interests (Art. 6(1) sentence 1(f) GDPR); website: https://x.com; privacy policy: https://x.com/de/privacy.
• YouTube: Social network and video platform; service provider: Google Ireland Limited, Dublin; legal basis: legitimate interests (Art. 6(1) sentence 1(f) GDPR); privacy policy: https://policies.google.com/privacy; third-country transfer basis: Data Privacy Framework (DPF). Opt-out: https://myadcenter.google.com/personalizationoff.

Plugins and Embedded Functions and Content

We integrate functional and content elements in our online offerings that are retrieved from the servers of their respective providers (“third parties”). This may include graphics, videos, or maps (“content”).

Integration always requires that the third-party providers process users’ IP addresses because without the IP, the content cannot be sent to the users’ browsers. The IP address is thus required for the display of these contents or functions. We strive to use only content whose providers apply the IP solely for content delivery. Third parties may also use pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Pixel tags can evaluate information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on users’ devices, including technical details about the browser and OS, referrer websites, visit time, and other usage details, and may be linked with information from other sources.

Notes on Legal Bases: If we request users’ consent for the use of third parties, the legal basis is permission. Otherwise, data is processed based on our legitimate interests (efficient, economical, and user-friendly services). We also refer to the information on cookie use in this privacy policy.

Types of Data Processed: Usage data (e.g., page views, duration, click paths, intensity and frequency of use, devices, OS, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, involved persons).
Data Subjects: Users (e.g., website visitors, online service users).
Purposes of Processing: Provision of our online offerings and user-friendliness; marketing. Profiles with user-related information (creation of user profiles).
Retention and Deletion: Deletion according to the section "General Information on Data Storage and Deletion." Cookies may be stored for up to 2 years.
Legal Bases: Consent (Art. 6(1) sentence 1(a) GDPR); legitimate interests (Art. 6(1) sentence 1(f) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

• Google Fonts (from Google server): Retrieval of fonts (and symbols) for technically secure, maintenance-free, and efficient use of fonts and symbols, ensuring consistency, speed, and compliance with possible licensing restrictions. Users’ IP addresses are transmitted to the provider to deliver fonts in their browser. Technical data (language, screen resolution, OS, hardware) is also transmitted. Data may be processed on Google servers in the USA. Google Fonts Web API logs HTTP request details (requested URL, user agent, referrer URL). Google states it does not use the information to create profiles or target ads. Service provider: Google Ireland Limited; legal basis: legitimate interests; website: https://fonts.google.com; privacy policy: https://policies.google.com/privacy; third-country transfer: Data Privacy Framework. Further info: https://developers.google.com/fonts/faq/privacy?hl=de.
• X Plugins and Content: Plugins and buttons for the X platform, e.g., to share content from this site; service provider: Twitter International Company, Dublin; legal basis: legitimate interests; website: https://x.com/de; privacy policy: https://x.com/de/privacy; third-country transfer: Standard Contractual Clauses.
• Font Awesome (from provider server): Retrieval of fonts and symbols for technically secure, maintenance-free, and efficient use; service provider: Fonticons, Inc., USA; legal basis: legitimate interests; website: https://fontawesome.com; privacy policy: https://fontawesome.com/privacy.

Changes and Updates

Please regularly review the content of our privacy policy. We update the privacy policy whenever changes in our data processing make it necessary. We inform you if changes require your action (e.g., consent) or individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and should be verified before contacting.

Supervisory Authority Responsible for Us:

Data Protection Officer of the Evangelical Church in Germany – Berlin Branch –
Invalidenstraße 29
10115 Berlin
Phone: 030 2005157-0
Fax: 030 2005157-20
Email: ost@datenschutz.ekd.de
Internet: https://datenschutz.ekd.de/datenschutz/