Data protection information in accordance with Article 13 of the GDPR
This document explains how we process your personal data (hereinafter referred to as “data”) in connection with physical and online events and the recording of digital events as well as the rights that you have in this connection.
I. WHO IS RESPONSIBLE FOR PROCESSING MY DATA?
Bertelsmann Stiftung, Carl-Bertelsmann-Straße 256, 33311 Gütersloh, is the data controller with respect to the data specified below. The use of the words “we” or “us” in this document always refers to Bertelsmann Stiftung. We process personal data in accordance with the provisions of the European General Data Protection Regulation (hereinafter referred to as “GDPR”) and the German Federal Data Protection Act (hereinafter referred to as “BDSG”) as well as other data protection requirements that may also be applicable. You can reach our data protection officer at the postal address stated above plus the additional words “For the attention of the data protection officer” or by e-mail at datenschutz@bertelsmann-stiftung.de. You can exercise your rights as a data subject against the data protection officer and also submit any questions relating to the way we process your data.
II. EVENTS
1. PHYSICAL EVENTS
a) FOR WHAT PURPOSE IS MY DATA PROCESSED (PURPOSE OF DATA PROCESSING) AND ON WHAT LEGAL BASIS?
We require your contact and communications data, such as your address, telephone number, e-mail address etc., in order to provide you with information on the events organised by Bertelsmann Stiftung and to enable you to attend them. Please note that any contact data already available will be automatically inserted when you register online for an event in order to keep the registration process as simple for you as possible. Please check the data that is automatically inserted when you register online for any errors and inform us if anything needs to be changed or corrected. The legal basis for processing the data is Article 6 (1)b of the GDPR, as data processing is necessary for the performance of the contract or in order to take steps prior to entering into a contract.
If we serve food at any of our events, we may ask you about possible food allergies. The data that we enter on this question is used solely for the purposes of catering during the events. If the data collected on possible food allergies is classified as medical data, the consent you give and, hence, Article 6 (1)a in connection with Article 9 (2)a of the GDPR constitute the necessary legal basis for processing the data. In all other cases, this is justified on the basis of Article 6 (1)f of the GDPR as the purpose of processing the data is to make your participation in our events as pleasant as possible.
b) WHO GETS MY DATA?
We may forward data to insurance companies, hotels or other service providers in connection with the organisation of events. Data is only forwarded to third parties where this is necessary to perform the agreements that we have entered into with you. We take technical and organisational precautions to ensure compliance with data protection requirements and also impose an obligation on our external service providers and third parties to whom we forward the data in the performance of the contract to observe these precautions. Other than this, we do not disclose your data to any third parties and particularly not for advertising purposes.
c) HOW LONG IS MY DATA STORED FOR?
Details of dietary preferences are deleted 10 days after the event. All other personal data is retained until the termination of the contract or the expiry of all periods during which contractual claims may be asserted. Thereafter, the data is retained for the duration of the applicable archiving and documentation periods (e.g. under commercial or tax law, normally ten years). It may also be stored for a longer period if you have granted your consent to this.
d) WHAT ADDITIONAL ASPECTS MUST BE OBSERVED?
To the extent permitted by law, an attendance list setting out the names, functions and institutions of the persons attending the physical event is compiled and made available to the persons in attendance.
Please also note that photos or audio/video recordings may be made of physical events, e.g. by TV broadcasters for public purposes, (e.g. for publication on our website, reporting on television etc.) as well as for non-public purposes (e.g. for internal documentation of the event, scientific evaluation etc.). Please inform us ahead of the commencement of the event if you do not wish to be seen on any photos or videos of the event.
Please also note that Bertelsmann Stiftung will be sending you information on the foundation activities and publications as well as invitations to events by ordinary post or by e-mail in the future provided that the legal requirements for doing so are satisfied.
The legal basis for the aforementioned data processing is the legitimate interest in structured and constructive communications on the part of all participants of the event and, hence, also our legitimate interest as defined in Article 6 (1)f of the GDPR where the processing of personal data in the form of attendance lists is involved, the consent of the participants of the event with respect to agreed photographs or audio or video recordings and, hence, Article 6 (1)a of the GDPR or our legitimate interest in accordance with Article 6 (1)f of the GDPR and - where the distribution of information material and invitations to events is involved - either your express consent in accordance with Article 6 (1)a of the GDPR or our legitimate interest in accordance with Article 6 (1)f of the GDPR.
2. DIGITAL EVENTS
a) FOR WHAT PURPOSE IS MY DATA PROCESSED (PURPOSE OF DATA PROCESSING) AND ON WHAT LEGAL BASIS?
In connection with online conferences, Bertelsmann Stiftung collects the names of the participants and - where indicated - voluntary information on the participants; for the purposes of participation, participants’ e-mail addresses (if duly requested in the invitation) or telephone numbers (where participants need to dial into the conference) are collected in some cases. Metadata on the conference itself, e.g. the title and content of the conference, is also collected. This also applies to information on the device used by the participants (IP address, telephone number, device data). The conference is normally not recorded unless this is expressly stated by the conference organiser subject to express consultation with the participants.
The data is processed in order to organise the online conference, which in turn is held to facilitate communications between Bertelsmann Stiftung’s employees and external partners. The legal basis for processing the data is the legitimate interest in structured communications as defined in Article 6 (1)f of the GDPR, the consent of the participants of an agreed online conference or the agreed recording of an online conference as defined in Article 6 (1)a of the GDPR and the performance of the contract in accordance with Article 6 (1)b of the GDPR if an online conference is necessary for the purpose of a contract or in order to take steps prior to entering in to a contract. The purpose of the information collected on your device as well as metadata is to ensure technically smooth execution of the conference as far as possible. We have a legitimate interest in this in accordance with Article 6 (1)f of the GDPR.
b) WHO GETS MY DATA?
Your data is not transmitted to any third parties, particularly not for advertising purposes. For the purposes of organising and holding the online conference, it is necessary for personal data to be disclosed to the provider of the conferencing system.
We use the services of Zoom and Microsoft (Microsoft Teams and Skype for Business) for this purpose. A processing agreement is in force with both Microsoft and Zoom. In addition, Zoom and Microsoft apply the standard EU contractual clauses for additional security. Beyond this, no automated decision is made on the basis of your data and no data is transmitted to any third countries outside the European Union.
c) HOW LONG IS MY DATA STORED FOR?
The data is kept for as long as it is required to perform the intended purpose of the online conference. This applies to data concerning the scheduled time and date of the conference and the participants invited to attend; all other data is promptly deleted after the end of the online conference.
If the online conference is recorded, the data is kept for as long as it is required to perform the intended purpose of recording the online conference. Regardless of this purpose, we delete the data no later than thirty days after the conference unless we receive express consent from you permitting us to store it for a longer period.
d) WHAT ADDITIONAL ASPECTS MUST BE OBSERVED?
Please also note that - provided that the applicable legal conditions are satisfied - the online conference may be recorded and such recordings used for internal and/or external presentation of the event.
If the online conference is recorded, Bertelsmann Stiftung collects data, specifically in the form of the video and/or audio recordings. Conferences are only recorded in exceptional situations provided that this is stated by the conference organiser subject to express consultation with the participants.
The data is processed to facilitate communications between Bertelsmann Stiftung’s own employees and external partners. The legal basis for processing the data is the legitimate interest in structured communications as defined in Article 6 (1)f of the GDPR, the consent of the participants of an agreed online conference or an agreed recording of the online conference as defined in Article 6 (1)a of the GDPR and the performance of the contract in accordance with Article 6 (1)b of the GDPR if an online conference is necessary for the purpose of a contract or in order to take steps prior to entering in to a contract. The recording is published only in exceptional cases on the basis of and subject to express prior consent as defined in Article 6 (1) a) GDPR in connection with the online conference.
III. AM I UNDER ANY OBLIGATION TO MAKE THE DATA AVAILABLE?
Within the scope of our business relationship, you must make such data available as is required for recording an online conference and for holding an event as well as for fulfilling the related contractual obligations or that we are under a statutory duty to collect if you wish to participate in the event in question. In the absence of this data we will normally not be able to register you for the event. We will duly designate the data which is voluntary so that you can decide at your own discretion whether to provide it.
IV. WHAT RIGHTS DO I HAVE IN RESPECT OF MY DATA?
You have broad rights with respect to the processing of your personal data. First of all, you have an extensive right to request information and, where applicable, to have your personal data corrected and/or erased or blocked. You may also request that the processing of your data be restricted and also have a right of objection. You also have a right of portability with respect to the personal data that you have made available to us.
You may withdraw consent that you have given us at any time with effect for the future. This withdrawal of your consent does not affect the lawfulness of processing based on your consent before you withdraw it. If your personal data is not processed on the basis of your consent but on another legal basis, you may object to your data being processed. In this case, the data processing will be reviewed and, where applicable, terminated. You will be informed of the result of the review and - if the data is to continue being processed in spite of this - you will receive detailed information from us explaining why the data processing is lawful.
We have appointed a data protection officer, who supports us on all matters related to data protection. Our data protection officer and his team may be contacted at datenschutz@bertelsmann-stiftung.de to answer any questions you may have concerning the way we process personal data. If you believe that the way we process your personal data is inconsistent with the applicable statutory data protection requirements, you may lodge an objection with a supervisory authority. You may also lodge an objection with our data protection officer, who will review the matter and inform you of the results of this review.
