This privacy policy explains the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions and content as well as external online presences, such as our social media profiles. (hereinafter jointly referred to as the “Online Offer”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Person responsible

SRC
Security Research & Consulting GmbH
Emil-Nolde-Str.7
D-53113 Bonn
Phone: +49 (0) 228 – 2806 – 0
Fax: +49 (0) 228 – 2806 – 199
Internet: www.src-gmbh.de
eMail: info[at]src-gmbh.de
Managing Directors: Gerd Cimiotti and Markus Schierack
Commercial Register: Bonn HRB 9414
VAT ID number: DE 212254844
https://src-gmbh.de/impressum/

You can contact our data protection officer as follows:

Florian Reichert

Scheja & Partners GmbH & Co KG
Adenauerallee 136
53113 Bonn

Phone: +49 (0) 228-227 226-0
Fax: +49 (0) 228-227 226-26
Contact: http://www.scheja-partners.de/kontakt/kontakt.html
www.scheja-partners.de

Types of data processed:

• Inventory data (e.g. names, addresses).
• Contact details (e.g. e-mail, telephone numbers).
• Content data (e.g. text entries, photographs, videos).
• Usage data (e.g. websites visited, interest in content, access times).
• Meta/communication data (e.g. device information, IP addresses).

Purposes of the processing

• Provision of the online offer, its functions and content.
• Answering contact requests and communicating with users.
• Safety measures.

Terminology used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses practically any handling of data.

The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a, the legal basis for the processing for the fulfillment of our services and implementation of contractual measures as well as answering inquiries is Art. 6 para. 1 lit. b GDPR and the legal basis for processing to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR.

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the data protection declaration as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Cooperation with processors and third parties

If we disclose data to other persons and companies (processors or third parties) as part of our processing, transfer it to them or otherwise grant them access to the data, this is done

• on the basis of legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b GDPR),
• insofar as you have given your consent,
• a legal obligation provides for this or
• on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this is done in accordance with the relevant requirements of Art. 28 GDPR.

Rights of data subjects/right to information

You have the right to receive information about the personal data we have stored about you.

Right of correction and deletion

You can demand the correction of incorrect data and – insofar as the legal requirements are met – the deletion of your data.

Restriction of processing

If the legal requirements are met, you can demand that we restrict the processing of your data.

Data portability

If you have provided us with data on the basis of a contract or consent, you may request that you receive the data you have provided in a structured, commonly used and machine-readable format or that we transfer it to another controller if the legal requirements are met.

Objection to data processing on the legal basis of “legitimate interest”

You have the right to object to data processing by us at any time for reasons arising from your particular situation, insofar as this is based on the legal basis of “legitimate interest”. If you exercise your right to object, we will stop processing your data unless we can demonstrate compelling legitimate grounds for further processing which override your rights in accordance with the statutory provisions.

Right to lodge a complaint with the supervisory authority

You can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. You can contact the data protection authority responsible for your place of residence or country or the data protection authority responsible for us.

Your contact to us

Furthermore, you can contact us free of charge if you have any questions about the processing of your personal data, your rights as a data subject and any consent you may have given. To exercise all of your aforementioned rights, please contact datenschutz@src-gmbh.de or send a letter to the address given above under “Controller”. Please make sure that we are able to clearly identify you.

Deletion of data

The data processed by us will be deleted or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

According to legal requirements in Germany, the data is stored for 6 years in accordance with § 257 para. 1 HGB (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

Order processing for services

We process our customers’ data as part of the ordering process in our online ticket management system in order to enable them to select and order the selected products and services, as well as their payment and delivery or execution.

The processed data includes inventory data, communication data, contract data and payment data. The persons affected by the processing include our customers, interested parties and other business partners. The processing is carried out for the purpose of providing contractual services in the context of operating an online store, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

The processing is carried out on the basis of Art. 6 para. 1 lit. b (execution of order processes) and c (legally required archiving) GDPR. The information marked as required is necessary for the establishment and fulfillment of the contract. We only disclose the data to third parties within the scope of delivery, payment or within the scope of legal permissions and obligations towards legal advisors and authorities. The data is only processed in third countries if this is necessary to fulfill the contract (e.g. at the customer’s request for delivery or payment).

We store the IP address and the time of the respective user action as part of the registration and renewed logins and use of our online services. The storage is based on our legitimate interests, as well as the interest of users in protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with. Art. 6 para. 1 lit. c GDPR.

The deletion takes place after the expiry of statutory warranty and comparable obligations, the necessity of storing the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).

Administration, financial accounting, office organization, contact management

We process data as part of administrative tasks and the organization of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of the provision of our contractual services. The processing bases are Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve the maintenance of our business activities and the provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information specified in these processing activities.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.

We also store information on suppliers, event organizers and other business partners on the basis of our business interests, e.g. for the purpose of contacting them at a later date. We store this data, most of which is company-related, permanently.

Business analyses and market research

In order to operate our business economically and identify market trends, customer and user requirements, we analyze the data we have on business transactions, contracts, inquiries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include customers, interested parties, business partners, visitors and users of the online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of registered users with details of their purchase transactions, for example. The analyses help us to increase user-friendliness, optimize our offer and improve business efficiency. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarized values.

If these analyses or profiles are personal, they will be deleted or anonymized upon termination by the user, otherwise after two years from the conclusion of the contract. In addition, the overall business analyses and general trend determinations are prepared anonymously wherever possible.

Data protection information in the application process

We process the applicant data only for the purpose and in the context of the application process in accordance with the legal requirements. The processing of applicant data is carried out to fulfill our (pre-)contractual obligations in the context of the application process within the meaning of Art. 6 para. 1 lit. b. GDPR Art. 6 para. 1 lit. f. GDPR if the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, Section 26 BDSG also applies).

The application procedure requires applicants to provide us with their application data. If we offer an online form, the necessary applicant data is marked as such, otherwise it can be found in the job descriptions and basically includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide us with additional information.

By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy.

Insofar as special categories of personal data within the meaning of Art. 9 Para. 1 GDPR, their processing is additionally carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin). Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants, their processing is additionally carried out in accordance with Art. 9 para. 2 lit. a GDPR (e.g. health data if this is necessary for the exercise of the profession).

Applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art.

Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We can therefore accept no responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. Instead of applying via the online form or by e-mail, applicants still have the option of sending us their application by post.

In the event of a successful application, the data provided by applicants may be processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. Applicants’ data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

The deletion takes place, subject to a justified revocation by the applicant, after a period of six months so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any travel expense reimbursements are archived in accordance with tax regulations.

Contact us

When contacting us (e.g. via contact form, e-mail or telephone), the user’s details are used to process the contact request and its handling in accordance with Art. 6 para. 1 lit. f GDPR. Art. 6 para. 1 lit. b) GDPR is processed. User data may be stored in a customer relationship management system (“CRM system”) or comparable inquiry organization.

We delete the requests if they are no longer required. We review the necessity every two years; the statutory archiving obligations also apply.

Details of services

Functionality	Data categories	Purpose(s)	Legal basis(s)	Any legitimate interests pursued	Recipients or categories of recipients	Storage periods or criteria for determining them	Obligation to provide personal data and possible consequences of non-provision
Presentation of the website	Date and time of access, duration of the visit, type of terminal device, operating system used, the functions you use, amount of data sent, type of event, IP address, domain name	Provision of the service	Article 6(1)(b) and (f) GDPR	Technical functionality	Hosting provider, internal departments, external service provider for technical support	Immediately after delivery by the web server	No obligation to provide, automated collection by calling up the service
Logfiles	URL accessed, IP address of the user, time and date of access, http status, information about the browser type and version used	Improvement of the website, system security (e.g. prevention of misuse), error diagnosis	Article 6(1)(b) and (f) GDPR	see purposes	Hosting provider, internal departments, external service provider for technical support, government agencies on request	9 weeks after creation	No obligation to provide, automated collection by calling up the service
Newsletter	E-mail address, date of registration	Reception and processing of inquiries	Article 6(1)(b) and (f) GDPR	see purposes	Hosting provider, internal departments, external service provider for newsletter dispatch, government agencies on request	After final processing of the request and expiry of any relevant retention periods under commercial or tax law	No obligation to provide
Booking of events	Name of the person making the request, postal address, e-mail address	Receiving and processing bookings	Letters b) and f) GDPR	see purposes	External service provider for the execution and invoicing of bookings	After final processing of the request and expiry of any relevant retention periods under commercial or tax law	No obligation to provide