Privacy Policy

This data protection information, intends to inform our website visitors about how we process personal data or outline you about your rights. We are aware of the sensitive nature of processing personal data and accordingly observe all relevant legal requirements. The protection of your privacy is of utmost importance to us. All processing of your personal data is carried out in compliance with the current General Data Protection Regulation, as well as other data protection regulations.

Person responsible for data processing

HeiGIT gGmbH
Schloss-Wolfsbrunnenweg 33
69118 Heidelberg
E-Mail: info[at]heigit.org

Contact details of the data protection officer: eprivacy[at]heigit.org

Definition of terms

This data protection notice uses the terms of the General Data Protection Regulation (GDPR):

  • “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Restriction of processing” means the marking of stored personal data with the aim of limiting their future processing.
  • “Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
  • “File system” means any structured collection of personal data accessible according to specified criteria, whether such collection is maintained on a centralised, decentralised or functional or geographical basis.
  • “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
  • “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • “Recipient” means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a specific investigation mandate under Union or Member State law shall not be considered as recipients and the processing of such data by those authorities shall be carried out in accordance with the applicable data protection rules, in accordance with the purposes of the processing.
  • “Third party” means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor.
  • “Consent” means the freely given specific, informed and unambiguous indication of the data subject’s wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

Processing operations

We collect and process the following personal data about you:

  • Contact, event, API-Key and master data information if you have provided us with your contact information or registered on our site,
  • Online identifiers (e.g. your IP address, browser type and version, operating system used, referrer URL, IP address, file name, access status, amount of data transferred, date and time of server request),
  • for the purpose of contacting you,
  • for information about our activities and offers,
  • Contract data (e.g. subject matter of the contract, contract term, contract category),
  • Application (by post, via e-mail),
  • Implementation of events,
  • Video conferences, sound and image recordings,
  • Social media identifiers.

Data processing purposes

We process your data for the following purposes:

  • to process our services e.g. openrouteservice,
  • for quality assurance,
  • for our statistics.

Legal basis for data processing

Your data is processed on the following legal bases:

  • your consent according to Art. 6 para. 1 lit. a) GDPR,
  • for the performance of a contract with you according to Art. 6 para. 1 lit. b) GDPR,
  • to fulfil legal obligations according to Art. 6 Para. 1 lit. c) GDPR,
  • for a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.

If we base the processing of your personal data on legitimate interests within the meaning of. Art. 6 para. 1 lit. f) GDPR, such interests are

  • the improvement of our offer,
  • the protection against misuse,
  • the management of our statistics.

Data sources

We obtain the data from you (including via the devices you use). If we do not collect the personal data directly from you, we will also tell you the source of the personal data and, if applicable, whether it comes from publicly available sources.

Transfer/data recipient

In processing your data, we work with the following service providers who have access to your data:

  • Web analytics tool providers,
  • Web hosting providers,
  • Administration service providers,
  • Video conferencing service providers,
  • Social media.

Data is transferred to third countries outside the European Union. This takes place on the basis of contractual regulations provided for by law, which are intended to ensure an appropriate level of protection for your data and which you can view on request.

Duration of processing

We only store your personal data for as long as is necessary to achieve the purpose of the processing or for as long as the storage is subject to a statutory retention period.

We store your data, if:

  • you have consented to the processing, at most until you revoke your consent;
  • we require the data for the performance of a contract, at most for as long as the contractual relationship with you exists or for as long as statutory retention periods apply,
  • we use the data on the basis of a legitimate interest, at most for as long as your interest in deletion or anonymisation does not prevail.

Your rights

Within specific limits depending on particular circumstances, you have the right to:

  • request information free of charge about the processing of your data and to receive a copy of your personal data. Among other things, you can request information about the purposes of the processing, the categories of personal data that are processed, the recipients of the data (if the data are passed on), the duration of the storage or the criteria for determining the duration;
  • rectify your data. If your personal data is incomplete, you have the right to complete the data, taking into account the purposes of the processing;
  • have your data erased or blocked. Reasons for the existence of a right to erasure/blocking may be, among others, the revocation of the consent on which the processing is based, the data subject objects to the processing, the personal data have been processed unlawfully;
  • to have the processing restricted;
  • object to the processing of your data;
  • withdraw your consent to the processing of your data for the future;
  • complain to the competent supervisory authority about unlawful data processing.

Further information on data protection

CleverReach

We use CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany. CleverReach is a service that can be used to organise and analyse the sending of newsletters. The data you enter for the purpose of receiving the newsletter (e.g. email address) is stored on CleverReach’s servers in Germany and Ireland.

Our newsletters sent with CleverReach enable us to analyse the behaviour (conversion tracking) of newsletter recipients. Among other things, we can analyse how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. The data processing takes place on the basis of your consent (Art. 6 para. 1 lit. a) GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the cancellation. If you do not want CleverReach to analyse your data, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message or you can also unsubscribe from the newsletter directly on the website. The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and CleverReach’s servers after you unsubscribe from the newsletter.

Further information on this can be found in CleverReach’s privacy policy at: https://www.cleverreach.com/en-de/privacy-policy/.

Data protection

We have taken extensive technical and organisational measures to protect your data against possible dangers, such as unauthorised access, unauthorised disclosure, modification or distribution, as well as against loss, destruction or misuse.

In order to protect your personal data from unauthorised access by third parties during transmission, we secure data transmissions using TLS encryption where necessary. This is a standardised encryption procedure for online services, designed especially for internet traffic.

Log files

Each time you access our website, usage data is transmitted by the respective internet browser and stored in our server´s log files. These data records contain the following data:

  • Domain from which the user accesses the website,
  • Date, time of access and the IP address of the accessing computer,
  • website(s) visited by the user within the scope of the offer,
  • amount of data transferred,
  • browser type and version,
  • operating system used,
  • message as to whether the retrieval was successful.

These log file data records are evaluated anonymously in order to improve our offer and make it more user-friendly, to find and correct errors and to manage our servers.

Cookies

This website does not currently use cookies.

Google reCAPTCHA

To ensure that data security is guaranteed when contact or newsletter forms are transmitted, the reCAPTCHA service from Google Inc. is used. This serves to differentiate whether an entry is made by a natural person or abusively by machine and automated processing. For this purpose, the service processes the IP address of the end device used, the website that you visit with us and on which the captcha is integrated, the date and duration of the visit, the identification data of the browser and operating system type used, and any other data required by Google for the reCAPTCHA service. The deviating data protection provisions of Google Inc. apply here.
Further information on the data protection guidelines of Google Inc. can be found at https://policies.google.com/privacy?hl=en&gl=en.

Status of this data protection information

April 2022

We reserve the right to change or update this privacy policy at any time as required to continue to conform to the most recent public policies and legal requirements pertaining to data protection.