Name and contact data of the data controller pursuant to Article 4 (7) GDPR
Company: Entwicklungsgesellschaft Patton Barracks mbH & Co. KG
Address: Marktplatz 10, 69117 Heidelberg, Germany
Telephone: +49 (0)6221 581 5000
Securing and protecting your personal data
We consider it our primary task to ensure that the personal data you provide to us is kept confidential and protected from unauthorised access. That is why we apply the greatest care and latest security standards to guarantee maximum protection of your personal data.
As a company under private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the provisions of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures to ensure that the privacy regulations are observed both by us as well as by our external service providers.
The legislator requires that personal data be processed in a lawful manner, in good faith and in a manner that is comprehensible to the person concerned (“lawfulness, processing in good faith, transparency”). To ensure this, we would like to inform you about the individual legal definitions that are also used in this privacy statement:
- Personal data
“Personal data” is all information concerning an identified or identifiable natural person (referred to hereinafter as the “data subject”); an identifiable natural person is one who can be identified directly or indirectly, especially by association with an identifier such as a name, an identification number, location data, online identification or with one or several special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“Processing” is any operation carried out, with or without the aid of automated procedures, or any such series of operations in connection with personal data, such as the collection, recording, organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, dissemination or any other form of delivery, comparison or link, restriction, deletion or destruction.
- Restriction of processing
“Restriction of processing” is when stored personal data is appropriately labelled in order to restrict its future processing.
“Profiling” is any type of automated processing of personal data involving the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or forecast aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or change in location of that natural person.
“Pseudonymisation” is when personal data is processed in such a way that the personal data can no longer be associated with a specific data subject without drawing on additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data cannot be associated with an identified or identifiable natural person.
- File system
“File system” is any structured collection of personal data that is accessible according to certain criteria, regardless of whether this collection is managed centrally, de-centrally or according to functional or geographical criteria.
- Data controller
“Data controller” is a natural person or legal entity, public authority, institution or other agency who/which alone or jointly with others decides on the purposes and means of processing personal data; where the purposes and means of such processing are specified by Union law or the law of the Member States, the data controller or certain criteria for his/her appointment may be laid down by Union law or by the law of the Member States.
“Processor” is a natural person or legal entity, public authority, institution or other agency that processes personal data on behalf of the data controller.
“Recipient” is a natural person or legal entity, public authority, institution or other agency to whom/which personal data is disclosed, regardless of whether aforesaid is a third party. However, public authorities which may receive personal data under Union law or the law of the Member States in connection with a particular investigation mandate do not count as recipients; the processing of such data by aforesaid authorities is subject to the applicable privacy regulations in accordance with the purposes of the processing.
- Third party
“Third party” is a natural person or legal entity, public authority, institution or other agency apart from the data subject, the data controller, the processor and persons authorised to process the personal data under the direct responsibility of the data controller or the processor.
The “consent” of the data subject is any declaration of consent voluntarily made in the specific case, in an informed and unequivocal manner, in the form of a declaration or other clear affirmative act with which the data subject indicates that he/she agrees to the processing of his/her personal data.
Legality of processing
The processing of personal data is only legal if there is a legal basis for the processing. Under Article 6 (1) lit. a–f GDPR, the legal basis for processing can in particular be:
- The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes;
- The processing is necessary for the performance of a contract, the contracting party of which is the data subject, or for implementing pre-contractual measures taken at the request of the data subject;
- The processing is necessary for fulfilling a legal obligation to which the data controller is subject;
- The processing is necessary to protect the vital interests of the data subject or other natural person;
- The processing is necessary for performing a task in the public interest or exercising official authority conferred on the data controller;
- The processing is necessary to safeguard the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject whose personal data requires protection take precedence, in particular when the data subject is a child.
Information on how we collect your personal data
(1) Below we provide you with information on how we collect your personal data when you use our website. Examples of personal data are name, address, e-mail addresses, user behaviour.
(2) When you contact us by e-mail or by using our contact form, the data you provide (your e-mail address, where applicable your name and telephone number) will be stored by us so that we can answer your questions. We delete the data accruing in this context once its storage is no longer required, or its processing is restricted if statutory retention obligations exist.
How we collect personal data when you visit our website
If you are using the website for information purposes only, i.e. if you do not register or provide us with any other information, the only personal data that we collect is that transmitted by your browser to our server. If you wish to view our website, we collect the following data which is technically necessary for us to display our website to you and to guarantee stability and security (legal basis: Art. 6 (1) sentence 1 lit. f GDPR):
- IP address
- Date and time of access
- Time zone difference in relation to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Volume of data transferred
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software
(1) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disk in the browser you are using and through which certain information is passed to the originator of the cookie. Cookies cannot run programs or transmit viruses to your computer. They are intended to make the internet offerings generally more user-friendly and more effective.
(2) This website uses the following types of cookies, the scope and functioning of which are explained below:
- Transient cookies (see a)
- Persistent cookies (see b)
- Transient cookies are automatically deleted when you close your browser. These include in particular the session cookies. These store a so-called session ID which enables your browser to assign different requests to the common session. This enables your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.
- Persistent cookies are automatically deleted after a specified period which may vary depending on the cookie. You can delete the cookies at any time in the security settings of your browser.
- You can configure your browser settings according to your preferences and refuse, for example, to accept third party cookies or all cookies. So-called “third party cookies” are cookies set by a third party, in other words not by the actual website you are currently visiting. We would like to point out that the functionalities of the website might be impaired if you deactivate the cookies.
- The flash cookies used are not recorded by your browser but by your flash plug-in. We also use HTML5 storage objects that are stored on your end device. These objects store the required data independently of your browser and do not have an automatic expiry date. If you do not wish the flash cookies to be processed, you must install an add-on, e.g. “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by employing the private mode in your browser. We also recommend that you manually delete your cookies and your browser history on a regular basis.
Other functions and offerings of our website
(1) Besides offering you the possibility of visiting our website purely for informational purposes, we also offer various services which might be of interest to you. This will require you to submit further personal data which we use to provide the relevant service and to which the aforementioned data processing principles apply.
(2) In some cases, we use external service providers to process your data. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly checked.
(3) We may also pass on your personal data to third parties if we offer participation in promotions, competitions, contract conclusions or similar services in collaboration with our partners. You can obtain more detailed information on this when entering your personal data or by reading the description of the offering below.
(4) If our service providers or partners are based in a country outside the European Economic Area (EEA), we will inform you of the consequences of this in the description of the offering.
(1) You can consent to subscribe to our newsletter which contains information on our latest offerings of interest. The merchandise services being promoted are stated in the declaration of consent.
(2) We use the double opt-in procedure for subscriptions to our newsletter. This means that we send you an e-mail to your specified e-mail address after you register, asking you to confirm that you would like to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. We also store your IP addresses as well as the time of registration and confirmation. The objective of this procedure is to verify your registration and, where possible, prevent any misuse of your personal data.
(3) The only mandatory information for sending the newsletter is your e-mail address. You can voluntarily enter further information that is separately marked as such and used so that we can address you personally. After receiving your confirmation, we save your e-mail address so that we can send you the newsletter. The legal basis for this is Art. 6 (1) sentence 1 lit. a GDPR.
(4) You can revoke your consent to the sending of the newsletter at any time and cancel the newsletter. You can declare your revocation by clicking on the link provided in every newsletter e-mail, by filling out this form on the website, by sending an e-mail to firstname.lastname@example.org or by sending a message to the contact details given in the imprint.
(5) We would like to point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels which represent single-pixel image files that are stored on our website. For this evaluation, we link the aforementioned data and web beacons to your e-mail address and an individual ID. We collect the data in an exclusively pseudonymised form; in other words, the IDs are not linked to your other personal data so that any possibility of direct personal reference is excluded. You can object to this tracking at any time by clicking on the separate link provided in each e-mail or by informing us via another contact channel. The information is stored for as long as you have subscribed to the newsletter. After de-registering, we store the data for purely statistical purposes and anonymously.
(6) We use an external service provider for sending the newsletters. A separate data processing agreement has been signed with the service provider in order to guarantee the protection of your personal data. We are currently working with the following service provider:
The Rocket Science Group LLC d/b/a MailChimp
675 Ponce De Leon Ave NE, Suite 5000
Atlanta, Georgia 30308, USA
Telephone: +1 (0)404 806 5843
The following data is transmitted to MailChimp:
- E-mail address
- IP address
Further information can be found in the privacy statement of MailChimp which can be accessed under mailchimp.com/legal/privacy/
MailChimp or its parent company The Rocket Science Group LLC is certified under the US-EU Privacy Shield Agreement, thereby ensuring compliance with European data protection standards. The current status of the certification can be checked under the following link:
Our offerings are essentially aimed at adults. Persons under the age of 18 should not transmit any personal data to us without the consent of their parents or legal guardians.
Rights of data subjects
(1) Revocation of consent
If the processing of personal data is based on consent that has been granted, you have the right to revoke the consent at any time. The revocation of consent shall not affect the legality of the data being processed on the basis of the consent prior to revocation.
You can contact us at any time to exercise your right of revocation.
(2) Right to confirmation
You have the right to request confirmation from the data controller as to whether we are processing personal data relating to you. You can request confirmation at any time using the aforementioned contact details.
(3) Right to information
If personal data is being processed, you can request information about this personal data at any time and about the following information:
- the processing purposes;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom/which the personal data has been or is still being disclosed, in particular recipients in third countries or international organisations;
- if possible, the proposed length of time for storing the personal data or, if this is not possible, the criteria for determining this length of time;
- the existence of a right to have the personal data concerning you corrected or deleted or to restrict aforesaid processing by the controller, or a right to object to this processing;
- the existence of a right of appeal to a supervisory authority;
- if the personal data is not collected from the data subject, all available information on the origin of aforesaid data;
- the existence of an automated decision-making process, including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended consequences of such processing for the data subject.
If personal data is transferred to a third country or an international organisation, you have the right to be informed of the appropriate guarantees in accordance with Article 46 GDPR in connection with this transfer. We provide a copy of the personal data that is the subject of the processing. We may charge an appropriate fee based on the administrative costs for any additional copies that you demand for your personal use. If you submit the application electronically, the information is provided in a typical electronic format, unless otherwise specified. The right to obtain a copy in accordance with paragraph 3 shall not prejudice the rights and freedoms of other persons.
(4) Right to correction
You have the right to demand that we immediately correct any inaccurate personal data concerning you. Allowing for the purposes of the processing, you have the right to demand the completion of incomplete personal data – also by means of a supplementary declaration.
(5) Right to deletion (“Right to be forgotten”)
You have the right to demand that the data controller immediately deletes the personal data relating to you, and we are obliged to immediately delete personal data if one of the following reasons applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- The data subject revokes his/her consent which formed the basis of the processing under Article 6 (1) lit. a or Article 9 (2) lit. a GDPR and no other legal basis exists for its processing.
- The data subject objects to the processing under Article 21 (1) GDPR and no overriding legitimate grounds exist for the processing, or the data subject objects to the processing under Article 21 (2) GDPR.
- The personal data has been processed unlawfully.
- The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
- The personal data has been collected in relation to services offered by the information society in accordance with Article 8 (1) GDPR.
If the data controller has made the personal data public and is obliged to delete aforesaid in accordance with paragraph 1, he/she shall undertake appropriate measures, including technical measures, while allowing for the available technology and implementation costs in order to inform the data controllers processing the personal data that a data subject has demanded the deletion of all links to such personal data or of copies or replications of such personal data.
The right to deletion (“right to be forgotten”) does not exist if the processing is necessary:
- to exercise freedom of expression and information;
- for the performance of a legal obligation which requires aforesaid processing under the law of the Union or of the Member States to which the data controller is subject, or for performing a task in the public interest or exercising official authority conferred on the data controller;
- for reasons of public interest in the field of public health in accordance with Article 9 (2) lit. h and i and Article 9 (3) GDPR;
- for purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes as referred to in Article 89 (1) GDPR if the right referred to in paragraph 1 is likely to render impossible or be seriously prejudicial towards attaining the objectives of this processing, or
- to assert, exercise or defend legal claims.
(6) Right to restrict the processing of data
You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:
- the correctness of the personal data is disputed by the data subject for a period until the data controller is able to verify the correctness of the personal data,
- the processing is unlawful and the data subject refuses to delete the personal data and instead demands that the use of the personal data be restricted;
- the data controller no longer needs the personal data for the purposes of processing, but the data subject requires it for the purpose of asserting, exercising or defending legal claims, or
- the data subject has lodged an objection to the processing in accordance with in Article 21 (1) GDPR until it has been established whether the data controller’s legitimate reasons outweigh those of the data subject.
If processing has been restricted in accordance with the conditions set out above, such personal data shall only be processed – apart from its storage – with the consent of the data subject or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural person or legal entity or for reasons of important public interest of the Union or a Member State.
In order to exercise the right to have the processing of data restricted, the data subject may contact us at any time using the contact details provided above.
(7) Right to have your data transferred.
You have the right to receive the personal data concerning you and made available to us in a structured, typical and machine-readable format, and you have the right to transmit aforesaid data to another data controller without hindrance by this data controller to whom the personal data was provided, subject to the following:
- the processing is based on consent pursuant to Article 6 (1) lit. a or Article 9 (2) lit. a or on an agreement pursuant to Article 6 (1) lit. b GDPR, and
- the processing is carried out with the aid of automated methods.
When exercising your right to have your data transferred under paragraph 1, you have the right to have the personal data transferred directly from one data controller to another data controller to the extent that this is technically feasible. If you exercise your right to have your data transferred, this shall not affect your right to deletion (“right to be forgotten”). This right does not apply to data that must be processed for the performance of a task that is in the public interest or for exercising official authority conferred on the data controller.
(8) Right of objection
You have the right to object at any time to the processing of your personal data under Article 6 (1) lit. e or f GDPR for reasons in connection with your particular situation; this also applies to profiling based on these provisions. The data controller no longer processes the personal data unless he/she can prove compelling legitimate reasons for processing said data which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
If personal data is processed for direct advertising purposes, you have the right to object at any time to the processing of your personal data for such advertising purposes; this also applies to profiling insofar as it is associated with such direct advertising. If you object to the processing for direct advertising purposes, the personal data will no longer be processed for these purposes.
In connection with the use of information society services, you can – notwithstanding Directive 2002/58/EC – exercise your right of objection by means of automated processes based on technical specifications.
You have the right to object to the processing of your personal data for reasons in connection with your particular situation if this is done for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1), unless such processing is necessary for the performance of a task in the public interest.
You can exercise your right of objection at any time by contacting the data controller.
(9) Automated decisions in individual cases including profiling
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has legal effect for you or significantly impairs you in a similar manner. This does not apply if the decision:
- is necessary for the conclusion or performance of a contract between the data subject and the data controller;
- is admissible on the basis of regulations of the Union or the Member States to which the data controller is subject, and these regulations contain appropriate measures for safeguarding the rights, freedoms and legitimate interests of the data subject; or
- is made with the express consent of the data subject.
The data controller takes appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to prompt the intervention of a person by the data controller, to state one’s own position and to challenge the decision.
The data subject may exercise this right at any time by contacting the data controller.
(10) Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial form of redress, you have the right to appeal to a supervisory authority, in particular in the Member State of your place of residence, work or place of the suspected infringement, if the data subject believes that the processing of the personal data concerning him/her contravenes this provision.
(11) Right to effective judicial redress
Without prejudice to any existing administrative or extra-judicial form of redress, including the right to appeal to a supervisory authority under Article 77 GDPR, you have the right to effective judicial redress if you believe that your rights entitled to you under this provision have been infringed as a result of your personal data being processed in violation of this provision.
Use of Matomo (formerly Piwik)
(1) This website uses the web analysis service Matomo to analyse and regularly improve the use of our website. We can use the statistics thus gained to improve our offering and make it more interesting for you as a user. The legal basis for using Matomo is Article 6 (1) sentence 1 lit. f GDPR.
(2) Cookies are stored on your computer for this evaluation. The information thus collected is stored by the data controller exclusively on his/her server in [Germany]. You can suspend the evaluation by deleting the cookies and preventing the storage of cookies. If you prevent the storage of cookies, we wish to point out that you might not be able to use all the functionalities of this website. You can prevent the cookies from being stored by appropriately setting your browser. You can prevent Matomo from being used by removing the tick below so that the opt-out plug-in can be activated: [Matomo iFrame].
(3) This website uses Matomo with the “AnonymizeIP” extension. This means that the IP addresses are processed in an abbreviated form so that direct personal contact is prevented. The IP address transmitted by your browser using Matomo is not merged with other data collected by us.
(4) The Matomo program is an open source project. You can read the third-party provider’s information on how it protects data under https://matomo.org/privacy-policy/.
Use of social media plug-ins
(1) We currently use the following social media plug-ins: [Facebook, Google+, Twitter, Xing, T3N, LinkedIn, Flattr]. We use the so-called two-click solution. This means that, when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognise the provider of the plug-in by the sign on the box above the first letter or logo. We offer you the possibility of communicating directly with the provider of the plug-in via the button. The plug-in provider only receives information that you have accessed the corresponding website of our online offering if you click on the marked field and thereby activate it. The data collected on your visit to our website is also transmitted. In the case of Facebook and Xing, the providers in Germany state that the IP address is anonymised immediately after collection. By activating the plug-in, personal data is thus transferred from you to the respective plug-in provider and stored there (for US providers in the USA). As the plug-in provider collects data mainly by means of cookies, we recommend you to delete all cookies before clicking on the greyed-out box via your browser’s security settings.
(2) We have no influence on the data collected and the means by which it is processed, nor are we aware of the full extent to which data is collected or of the purposes of processing or the storage periods. We also do not have any information on the plug-in provider’s policy for deleting the collected data.
(3) The plug-in provider stores the data collected about you in the form of user profiles and uses them for advertising purposes, market research and/or for designing its website in line with your requirements. An evaluation of this kind is carried out in particular (also for users who are not logged in) for showing needs-based advertising and for informing other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles; to exercise this right, you must contact the respective plug-in provider. Via these plug-ins, we offer you the possibility of interacting with social networks and other users to enable us to improve our offering and make it more interesting for you as a user. The legal basis for using plug-ins is Article 6 (1) sentence 1 lit. f GDPR.
(4) Data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in at the plug-in provider, your data that we have collected is directly assigned to your existing account with the plug-in provider. If you click the activated button and, for example, link the page, the plug-in provider also stores this information in your user account and shares it publicly with your contacts. We recommend you to log out regularly after using a social network, but especially before activating the button to prevent you from being assigned to your profile at the plug-in provider.
(5) Further information on the purpose and scope of data collection and the way in which the plug-in provider processes this can be found in the privacy statements of these providers stated below. Here you can also receive more information about your rights and setting options for protecting your privacy.
(6) Addresses of the respective plug-in providers and the URLs with their privacy notices:
- Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php; further information on collecting data: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn is certified under the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
We use the services of external providers (contract processors), e.g. for dispatching goods, newsletters or for settling payments. A separate data processing agreement has been signed with the service provider in order to guarantee the protection of your personal data.
We cooperate with the following service providers:
CORE IDEA Marketing & Communications GmbH
40082 Ratingen, Germany
Dipl.-Ing. David Resch
Huckarder Straße 12
44147 Dortmund, Germany
S-Immobilien Heidelberg GmbH
69115 Heidelberg, Germany
69115 Heidelberg, Germany
Konversionsgesellschaft Heidelberg mbH
69117 Heidelberg, Germany
City of Heidelberg
69117 Heidelberg, Germany
The Rocket Science Group LLC d/b/a MailChimp
675 Ponce De Leon Ave NE, Suite 5000
Atlanta, Georgia 30308, USA
Telephone: +1 (0)404 806 5843
Matomo, formerly PIWIK
51149 Cologne, Germany
Telephone: +49 (0)221 6430 7750