PRIVACY POLICY

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) in connection with the use of our online offering. This includes all associated websites, functions, and content, as well as external online presences such as our profiles on social networks (collectively referred to as “online offering”). For the terms used in data protection law – such as “processing” or “controller” – we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Person in charge

The e-learning application “OSIANTO” is an offering of
30 doradus media design gmbh
Niederstr. 29
40789 Monheim, Germany
Email: info@30doradus.de
Managing Director: Jürgen Osterberg

Types of data processed

  • Master data (e.g., names, addresses)
  • Contact data (e.g., email addresses, telephone numbers)
  • Content data (e.g., text entries, photographs, videos)
  • Usage data (e.g., websites visited, access times, interest in content)
  • Meta and communication data (e.g., device information, IP addresses)
  • Categories of data subjects

Visitors and users of our online offering are affected by data processing. We refer to these collectively as “users” below.

Purposes of processing

  • Provision of the online offering, including all functions and content
  • Processing of contact requests and communication with users
  • Implementation of security measures to ensure data protection
  • Reach measurement and marketing

Terms used

In this privacy policy, we use various terms in accordance with the General Data Protection Regulation (GDPR). “Personal data” refers to all information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified directly or indirectly—for example, by association with a name, an identification number, location data, an online identifier (such as a cookie), or by specific characteristics that are an expression of that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

“Processing“ means any operation or set of operations performed on personal data, whether or not by automated means. The term is very broad and covers virtually any handling of data.

”Pseudonymization” describes the processing of personal data in such a way that the data can no longer be attributed to a specific person without additional information. This additional information must be stored separately and protected by appropriate technical and organizational measures to prevent re-identification.

“Profiling” refers to any form of automated processing of personal data in which this data is used to evaluate certain personal aspects of a person – for example, in relation to work performance, economic situation, health, preferences, interests, reliability, behavior, or location.

The “controller” is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

A “processor,” on the other hand, is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Relevant legal bases

The processing of personal data is based on various legal bases set out in the General Data Protection Regulation (GDPR). Below, we would like to outline the most important legal bases on which we base the processing of your data:

  • Consent (Art. 6 (1) (a) GDPR): If you give us your express consent to process your data, this constitutes the basis for processing. Such consent can be revoked at any time.
  • Contract fulfillment (Art. 6 (1) (b) GDPR): If the processing of your data is necessary to fulfill a contract with you or to take pre-contractual measures at your request, we rely on this legal basis.
  • Legal obligation (Art. 6 para. 1 lit. c GDPR): If we are obliged to process your data due to legal requirements, the processing is based on this legal obligation.
  • Legitimate interests (Art. 6 (1) (f) GDPR): In some cases, we process your data because we have a legitimate interest in carrying out certain activities, such as improving our services or ensuring IT security. In such cases, we ensure that your rights and freedoms are not unduly affected.

Security measures

In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection that is appropriate to the respective risk to the rights and freedoms of the data subjects. In doing so, we take into account the current state of the art, the costs of implementation, the nature and scope of the processing, and the specific circumstances and purposes of the data processing. We also pay attention to the likelihood and severity of the risks associated with the processing of personal data.

The measures taken include, in particular:

  • Ensuring the confidentiality, integrity, and availability of data through controlled physical access and targeted measures to protect against unauthorized access, as well as ensuring data security during input, processing, transfer, and storage.
  • Implementing procedures that enable the rights of data subjects to be protected, data to be deleted, and appropriate responses to be made to potential threats to data.

In addition, we take the protection of personal data into account when developing or selecting hardware, software, and procedures, and implement the principle of data protection by design and by default in accordance with Art. 25 GDPR.

Cooperation with processors and third parties

If, in the course of our data processing, we disclose personal data to other persons or companies, transfer it to them, or otherwise grant them access to the data, this is done exclusively on the basis of legal permission. This may be the case, for example, if the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract in accordance with Art. 6 (1) (b) GDPR. Furthermore, this may also occur if you have consented to the data transfer, if there is a legal obligation to do so, or if it is based on our legitimate interests (e.g., when using service providers such as web hosts).

If we commission third parties to process personal data within the framework of a so-called “order processing agreement,” this is done in accordance with the requirements of Art. 28 GDPR.

Transfers to third countries

If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transferring data to third parties, this will only happen if it is necessary to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or for legitimate interests on our part.

If legal or contractual permissions exist, we will only process data in a third country or commission third parties to do so if the special requirements of Art. 44 ff. This means that processing may only take place on the basis of special guarantees, such as the recognized determination of a level of protection equivalent to that of the EU (e.g., for the US through the “Privacy Shield”) or through compliance with officially recognized special contractual obligations, such as “standard contractual clauses.”

Rights of data subjects

Pursuant to Art. 15 GDPR, you have the right to request confirmation from us as to whether your personal data is being processed. In addition, you can obtain information about this data as well as further information and a copy of the data.

Pursuant to Art. 16 GDPR, you have the right to request the completion of your personal data or the correction of inaccurate data.

Pursuant to Art. 17 GDPR, you have the right to request the immediate erasure of your personal data. Alternatively, pursuant to Art. 18 GDPR, you may request the restriction of the processing of your data.

According to Art. 20 GDPR, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to request its transfer to another controller.

In addition, according to Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of revocation

You have the right to revoke your consent in accordance with Art. 7 (3) GDPR with effect for the future.

Right to object

You can object to the future processing of your personal data at any time in accordance with Art. 21 GDPR. The objection may be directed in particular against processing for direct marketing purposes.

Cookies and the right to object to direct marketing

“Cookies” are small files that are stored on users’ devices and can contain various types of information. The main purpose of cookies is to store user information during or after their visit to an online offering. Temporary cookies, also known as “session cookies” or “transient cookies,” are deleted when the user leaves the online offering and closes the browser. These cookies store, for example, the contents of a shopping cart in an online shop or the login status. “Permanent” or “persistent” cookies remain stored even after the browser is closed. They can, for example, maintain the login status when the user revisits the online service after several days. The user’s interests can also be stored in permanent cookies for use in reach measurement or marketing purposes. “Third-party cookies” are cookies that are set by providers outside of the party responsible for the online offering, while “first-party cookies” are only set by that party itself.

We use both temporary and permanent cookies and provide information about this in our privacy policy.

Users have the option of preventing cookies from being stored by deactivating the corresponding option in their browser settings. Cookies that have already been stored can be deleted in the browser’s system settings. Please note that deactivating cookies may lead to restrictions in the functionality of this online offering.

A general objection to the use of cookies for online marketing purposes is possible for many services, especially in the area of tracking, via the US website http://www.aboutads.info/choices/ or the European website http://www.youronlinechoices.com/. In addition, the storage of cookies can be prevented by deactivating them in the browser settings. Please note that in this case, not all functions of this online offering may be available.

Deletion of data

The data we process will be deleted or its processing restricted in accordance with the provisions of Articles 17 and 18 GDPR. Unless expressly stated otherwise in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for the respective purpose and there are no legal retention obligations to the contrary. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and may not be used for other purposes. This applies, for example, to data that must be retained due to commercial or tax law regulations.

In Germany, data is stored in accordance with legal requirements, in particular for 10 years in accordance with Section 147 (1) AO and Section 257 (1) No. 1 and 4, (4) HGB (including books, records, management reports, accounting documents, trading books, and documents relevant for taxation) and for 6 years in accordance with Section 257 ( 1 No. 2 and 3, para. 4 HGB (including commercial letters).

In Austria, data is stored in accordance with legal requirements, in particular for 7 years in accordance with § 132 (1) BAO (including accounting documents, receipts/invoices, accounts, business documents, and statements of income and expenditure), for 22 years in connection with real estate, and for 10 years for documents relating to electronically supplied services, telecommunications, radio, and television services provided to non-business customers in EU member states and for which the Mini One Stop Shop (MOSS) is used.

Business-related processing

In addition, we process:

  • Contract data (e.g., subject matter of the contract, term, customer category),
  • Payment data (e.g., bank details, payment history),

from our customers, prospects, and business partners in order to provide contractual services, ensure service and customer care, and carry out marketing, advertising, and market research.

Agency services

We process our customers’ data in the context of providing contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, the implementation of campaigns and processes, as well as server administration, data analysis, consulting services, and training offerings.

In doing so, we process:

  • Inventory data (e.g., customer master data such as names or addresses),
  • Contact data (e.g., email addresses, telephone numbers),
  • Content data (e.g., text entries, photographs, videos),
  • Contract data (e.g., subject matter of the contract, term),
  • payment data (e.g., bank details, payment history),
  • usage and metadata (e.g., for evaluating and measuring the success of marketing measures).

Special categories of personal data are generally not processed unless they are part of a commissioned processing operation. The data subjects include our customers, interested parties, and their customers, users, website visitors, employees, and third parties. The purpose of data processing is to provide contractual services, billing, and customer service. The legal basis for processing is Art. 6 (1) (b) GDPR (contractual services) and Art. 6 (1) (f) GDPR (analysis, statistics, optimization, security measures).

We only process the data that is necessary for the establishment and fulfillment of the contractual services and point out the necessity of providing this data. Disclosure to third parties only takes place if this is necessary within the scope of an order. Within the scope of order processing in accordance with Art. 28 GDPR, we process the data provided to us exclusively in accordance with the instructions of the client and exclusively for the purposes specified in the order.

The data will be deleted after the expiry of statutory warranty and comparable obligations. The necessity of storage is reviewed every three years. In the case of legally prescribed archiving obligations, deletion takes place after their expiry (6 years in accordance with Section 257 (1) HGB, 10 years in accordance with Section 147 (1) AO). We delete data provided to us within the scope of an order in accordance with the specifications of the order, usually after completion of the order.

Contractual services

We process the data of our contractual partners, interested parties, and other clients, customers, or contractual partners (hereinafter referred to uniformly as “contractual partners”) in accordance with Art. 6 (1) (b) GDPR in order to provide them with our contractual or pre-contractual services. The type, scope, and purpose of the processing, as well as the necessity of the data processing, are based on the underlying contractual relationship.

The data processed includes, in particular:

  • Master data of our contractual partners (e.g., names and addresses)
  • Contact details (e.g., email addresses, telephone numbers)
  • contract data (e.g., services used, contract content, contractual communication, names of contact persons),
  • payment data (e.g., bank details, payment history).

Special categories of personal data are generally not processed unless they are part of commissioned or contractual processing.

We only process the data that is necessary for the establishment and fulfillment of the contractual services and, if not obvious to the contractual partner, we point out the necessity of providing this data. Data is only disclosed to external persons or companies if this is necessary within the framework of a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the client and the legal requirements.

When using our online services, we may store the IP address and the time of the respective user action. This storage is based on our legitimate interests and the interests of users in protection against misuse and unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue our claims in accordance with Art. 6 (1) lit. f GDPR or there is a legal obligation in accordance with Art. 6 (1) lit. c GDPR.

The data is deleted when it is no longer required for the fulfillment of contractual or statutory duties of care, warranty obligations, or comparable obligations. The necessity of storage is reviewed every three years; otherwise, the statutory storage obligations apply.

Contact

When contacting us (e.g. via contact form, email, telephone or social media), the user’s details are processed for the purpose of handling the contact request and its processing in accordance with Art. 6 (1) lit. b GDPR. User data may be stored in a customer relationship management system (“CRM system”) or a comparable request management system.

We delete requests as soon as they are no longer required. The necessity is reviewed every two years; in addition, the statutory archiving obligations apply.

Collection of access data and log files

We or our hosting provider collect data about every access to the server on which this service is hosted (so-called server log files) on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. The access data includes the name of the website accessed, the file, the date and time of access, the amount of data transferred, the notification of successful access, the browser type and version, the user’s operating system, the referrer URL (the previously visited page), the IP address and the requesting provider.

The log file information is stored for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes will remain stored until the respective incident has been finally clarified.

Google AdWords and conversion measurement

We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f GDPR).

Google is certified under the Privacy Shield Agreement and thus offers a guarantee that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

As part of our online marketing, we use the “Google AdWords” process to place ads in the Google advertising network (e.g. in search results, in videos, on websites, etc.) that are displayed to users who are presumed to be interested in these ads. This enables us to place targeted ads within our online offering and only present users with ads that potentially match their interests. An example of this is “remarketing”, where a user is shown ads for products that they have shown an interest in on other websites. For these purposes, a code is executed directly by Google when you visit our website and other websites on which the Google advertising network is active. So-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the websites. This stores an individual cookie on the user’s device (comparable technologies can also be used instead of cookies). This file stores information about which websites the user has visited, which content they have been interested in and which offers they have clicked on, as well as technical information about the browser and operating system, the referrer websites, visiting times and other information about the use of the online offer.

We also receive an individual “conversion cookie”. Google uses the information obtained through the cookie to create conversion statistics for us. However, we only receive the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. We do not receive any information with which users can be personally identified.

User data is processed pseudonymously within the Google advertising network. This means that Google does not store the user’s name or email address, for example, but processes the relevant data within pseudonymous user profiles. The ads are therefore not displayed for a specifically identified person, but for the owner of the cookie, regardless of their actual identity. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected is transmitted to Google and stored on Google’s servers in the USA.

Further information on the use of data by Google, setting and objection options can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Reach measurement with Matomo

As part of the reach analysis with Matomo, the following data is processed on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f GDPR): Browser type and version, operating system, country of origin, date and time of the server request, number of visits, time spent on the website and the external links you have clicked on. The IP address is anonymized the moment Matomo receives it (masking of the last bytes) and only stored afterwards.

Matomo uses cookies for this purpose, which are stored on the user’s computer and enable us to analyze the use of our website. Pseudonymous user profiles can be created from the processed data. The cookies have the following standard storage periods

  • Visitor ID, expires after 13 months
  • Session cookie, expires after 30 minutes
  • Referrer information, expires after 6 months

The information obtained by the cookie is stored exclusively on our own server and is not passed on to third parties. The logs with the pseudonymous usage data are automatically deleted by us after 6 months at the latest.

Users can object to the anonymized data collection by Matomo at any time with effect for the future by deactivating the following checkbox. In this case, an opt-out cookie will be stored in your browser, which means that Matomo will not collect any further session data. If you delete your cookies, the opt-out cookie must be reactivated if necessary:

Online presence in social media

We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operators apply.

Unless otherwise stated in this privacy policy, we process users’ data when they communicate with us within the social networks and platforms, e.g. by writing posts on our online presences or sending us messages.

Integration of third-party services and content

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR), we use content or service offers from third-party providers within our online offer in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”). GDPR), we use content or service offers from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).

This presupposes that the third-party providers of this content are aware of the user’s IP address, as they would not be able to send the content to the user’s browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers use the IP address exclusively to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user’s device and contains, among other things, technical information about the browser and operating system, referring websites, visiting times and other information about the use of our online offer. This information may be combined with information from other sources.

Integration of social plugins of the social network Meta (formerly Facebook)

We use social plugins (“plugins”) of the social network Meta, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR). The plugins include interaction elements or content (e.g. videos, graphics or text contributions) and are recognizable by one of the Meta logos (white “f” on blue tile, ‘Like’ or “thumbs up”) or are marked with “Facebook Social Plugin”. A complete list and the current appearance of the social plugins can be found here:
https://developers.facebook.com/docs/plugins.

When you access a page of our online offering that contains such a plugin, your device establishes a direct connection with Meta’s servers and the plugin content is integrated into the online offering. Meta can create usage profiles and – if you are logged in to Meta – assign the visits to your Meta profile.

The transfer of personal data to third countries (e.g. to the USA) is based on the Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of data protection. Further information on data protection at Meta can be found in the privacy policy at https://www.facebook.com/privacy/policy and on personalization or advertising settings (opt-out) at https://www.facebook.com/business/help/1739644726781076 or https://www.facebook.com/help/247395082112892

Integration of content from the social network X

Functions and content of the X service may be offered as part of our online offering. X Corp. (formerly Twitter, Inc.), 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, is responsible for this. The embedded content includes tweets, images, videos and buttons for clicking “Like” or for following profiles.

If you are logged in as a member of X or have a profile there, X can assign the views of the embedded content to your user account. The transfer of personal data to third countries (e.g. the USA) takes place on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission. Further information on data protection at X can be found in X’s privacy policy at
https://x.com/privacy and on opt-out and personalization settings at https://help.x.com/personalization-data-settings.