Privacy Policy

Scope

This privacy policy applies to our website (correlaid.org) and the social media presence of CorrelAid e.V. It does not extend to any linked websites or internet presences of other providers.

I. General Information

Responsible Party

The following party is responsible for the processing of personal data within the scope of this privacy policy:

CorrelAid e.V.
Pasteurstr. 34
10407 Berlin
E-Mail: info@correlaid.org

Questions about Data Protection

If you have any questions about data protection in relation to our association or our website, you can contact our data protection officer:

SPIRIT LEGAL Rechtsanwaltsgesellschaft mbH
Rechtsanwalt und Datenschutzbeauftragter
Peter Hense

Postanschrift:
Datenschutzbeauftragter
c/o CorrelAid e.V., Pasteurstr. 34, 10407 Berlin

Security

We have taken comprehensive technical and organizational precautions to protect your personal data from unauthorized access, misuse, loss, and other external interference. To this end, we regularly review our security measures and adapt them to the state of the art.

Your Rights

You have the following rights with regard to the personal data concerning you, which you can assert against us:

Right to information: You may request information about your personal data that we process in accordance with Art. 15 GDPR.
Right to rectification: If the information concerning you is no longer accurate, you may request rectification in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.
Right to erasure: You may request the erasure of your personal data in accordance with Art. 17 GDPR.
Right to restriction of processing: You have the right to request a restriction on the processing of your personal data in accordance with Art. 18 GDPR.
Right to object to processing: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) GDPR, in accordance with Article 21(1) GDPR. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. Further processing also takes place if the processing serves to assert, exercise, or defend legal claims (Article 21(1) GDPR). In addition, pursuant to Art. 21(2) GDPR, you have the right to object at any time to the processing of your personal data for the purpose of direct marketing; this also applies to any profiling insofar as it is related to such direct marketing. We draw your attention to the right to object in this privacy policy in connection with the respective processing.
Right to withdraw your consent: If you have given your consent to processing, you have the right to withdraw your consent in accordance with Art. 7(3) GDPR.
Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format (“data portability”) and the right to transmit this data to another controller if the conditions of Art. 20(1)(a), (b) GDPR are met (Art. 20 GDPR).

You can assert your rights by contacting the contact details listed in the “Controller” section or by contacting the data protection officer designated by us.

If you believe that the processing of your personal data violates data protection law, you also have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61, 10555 Berlin
Telephone: 030/138 89-0
Email: mailbox@datenschutz-berlin.de
https://www.datenschutz-berlin.de

II. Data Processing on Our Website

1. Use of Our Website

When you visit our website, your browser transmits information to the server in order to establish a connection and display the content securely, quickly, stably, and in the correct format on your device. The following data may be processed in this process:

Browser type / browser version
Operating system used
Language and version of the browser software
Date and time of access
Host name of the accessing end device
IP address
Content of the request (specific website)
Access status / HTTP status code
Websites accessed via the website
Referrer URL (the previously visited website)
Message indicating whether the access was successful
Amount of data transferred

The temporary processing of this data is necessary to technically enable the process of visiting a website and delivering the website to your end device. The access data is not used to identify individual users and is not merged with other data sources. The legal basis for processing is Art. 6(1)(f) GDPR. The processing serves our legitimate interest in displaying the content of our website to you quickly, stably, and in the correct format, in ensuring the security and functionality of our website, and in being able to investigate and prosecute any illegal attacks on our website. The access data is deleted as soon as it is no longer necessary for the purpose of its processing.

You may object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the “Controller” section.

2. Contacting Our Association

When you contact our association, e.g. by email, we process the personal data you provide in order to respond to your inquiry. The legal basis for processing is Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR if the purpose of contacting us is to conclude a contract. If the purpose of the inquiry is to conclude a contract, the provision of your data is necessary and mandatory. If the data is not provided, it is not possible to conclude or execute a contract or process the request. We delete the data collected in this process once processing is no longer necessary or, if necessary, restrict processing to compliance with existing legally binding retention obligations.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the “Controller” section.

3. Registration for Our Events

3.1. Registration and Administration

You can register for one of our events on our website. To do so, you must provide personal data such as your first and last name, your organization and professional background, your motivation, and your contact details (email address). The mandatory information required for participation is marked separately; further information is provided voluntarily. We process your data for the purpose of registration and implementation of the event. The legal basis for processing is Art. 6(1)(b) GDPR. The provision of your data is necessary and mandatory for participation or implementation. If you do not provide your data, registration and/or implementation will not be possible. After you register, we will send you a confirmation of registration by email and, depending on the event, further information such as the access data for the virtual event room.

For registration, we use the ticketing platform pretix from pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg. pretix processes your data on our behalf and on the basis of a so-called data processing agreement in accordance with Art. 28 GDPR.

3.2. Holding Digital Events

We generally use the Zoom platform to hold our digital events. Zoom uses the data you provide on our behalf to enable you to participate in our digital event. We have concluded a contract with Zoom for order processing in accordance with Art. 28 GDPR.

You can participate in our events by providing your name or a pseudonym. When you enter the virtual event room, your first and last name or your pseudonym will be displayed in the list of participants. Your full name or pseudonym will also be displayed in the chat when you enter something there. The chat is visible to all participants. Additional personal data, such as your camera image or verbal contributions, will be processed when you activate your camera and/or microphone. In addition, Zoom collects other data during the event, such as access to and exit from the event, session ID, role (attendee), and user agent (browser, operating system). The digital event will only be recorded after participants have been informed in advance.

The legal basis is Art. 6(1)(b) GDPR. The provision of your data is necessary and mandatory for participation in the digital event. If you do not provide your data, participation is not possible.

We will delete the data collected in this context once storage is no longer necessary, or restrict processing if there are legal retention obligations.

4. Donations via Our Donation Form (Twingle)

We use the donation form provided by twingle GmbH, Prinzenallee 74, 13357 Berlin, on our website. twingle GmbH provides the technical platform for the donation process for this donation form. The data you enter when making a donation (e.g., address, bank details, etc.) is stored by twingle on servers in Germany solely for the purpose of processing the donation. Twingle processes your information from the donation form on our behalf and on the basis of a so-called order processing agreement in accordance with Art. 28 GDPR. The legal basis is Art. 6(1)(b) GDPR. Providing your data in the donation form is mandatory for donating via the form. If you do not provide us with your data, you will not be able to send us your donation via our donation form. However, if you do not wish to use the form, you are welcome to send us a direct request using the contact details provided under “Responsible party.” We delete the data collected in the donation form once processing is no longer necessary or, if necessary, restrict processing to compliance with existing legally binding retention obligations.

You can subscribe to one of our email newsletters on our website.

In our monthly newsletter for nonprofits, we provide insights into our work: past Data4Good projects, upcoming events and educational workshops, updates from our community, and the latest PR activities. To receive the newsletter, you must provide your email address and your first and last name. We process this data for the purpose of sending you the newsletter. You also have the option of providing your organization’s website and field of activity. We process this data with your consent for analysis purposes in order to better understand the target groups we reach.

The legal basis for processing is Art. 6(1)(a) GDPR. We delete your data once processing is no longer necessary or, if necessary, restrict processing to comply with existing mandatory legal retention obligations.

You can revoke your consent to the processing of your personal data in connection with subscribing to our newsletter at any time. You can revoke your consent to the processing of your data for the purpose of receiving the newsletter either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller.” You can revoke your consent to the processing of your optional data by sending us a message using the contact details provided under “Controller.” Your revocation does not affect the lawfulness of the processing that took place on the basis of your consent until the time of your revocation.

Our volunteer newsletter not only provides you with monthly information and updates from our Data4Good community, but also announcements for our Data4Good projects and invitations to major CorrelAid events such as our annual community meetup. You can also subscribe to updates from CorrelAidX local groups in your area.

To receive the newsletter, you must provide your email address and first name. We process this data for the purpose of sending you the newsletter. In addition, you have the option of selecting one or more CorrelAidX local groups. In this case, we will inform you about updates from the selected local group(s). You also have the option of providing your gender, year of birth, country, and city. We process this data with your consent for analysis purposes in order to learn more about the composition of our newsletter recipients.

The legal basis for processing is Art. 6(1)(a) GDPR. We will delete your data once processing is no longer necessary or, if necessary, restrict processing to comply with existing mandatory legal retention requirements.

c) Double Opt-In Procedure

In order to document your newsletter registration and prevent misuse of your personal data, registration for our email newsletter takes the form of a double opt-in procedure. After you have entered the data marked as mandatory, we will send you an email to the email address you provided, asking you to expressly confirm your subscription to the newsletter by clicking on a confirmation link. In doing so, we process your IP address, the date and time of your newsletter registration, and the time of your confirmation. This allows us to ensure that you really want to receive our email newsletter. We are legally obliged to prove your consent to the processing of your personal data in connection with your registration for the newsletter (Art. 7(1) GDPR). Due to this legal obligation, data processing is carried out on the basis of Art. 6(1)(c) GDPR.

We also statistically evaluate newsletter open rates, the number of clicks on links contained therein, and reading time. For this purpose, user behavior within the newsletters we send is evaluated based on device-specific information (e.g., email client used and software settings). For this analysis, the emails sent contain so-called web beacons or tracking pixels.

The legal basis for the processing is Art. 6(1)(a) GDPR. We delete your data after processing is no longer necessary or, if necessary, restrict processing to comply with existing mandatory legal retention obligations.

You can revoke your consent at any time, either by sending us a message (see the contact details in the “Controller” section) or by clicking on the unsubscribe link contained in the newsletter. This does not affect the lawfulness of the processing that has taken place on the basis of your consent until the time of your revocation.

e) Email Marketing Service Provider

We use the external marketing service provider “MailerLite,” a service offered by MailerLite Limited (88 Harcourt Street, Dublin 2, D02 DK18, Ireland), to send out our newsletter. MailerLite processes your personal data as our processor on the basis of a data processing agreement in accordance with Art. 28 GDPR.

6. Hosting

We use external hosting services provided by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA), which serve to provide the following services: infrastructure and platform services, computing capacity, storage resources and database services, security and technical maintenance services. For these purposes, all data necessary for the operation and use of our website is processed, including the access data mentioned under “Use of our website.” The provider processes your personal data as our processor on the basis of a data processing agreement in accordance with Art. 28 GDPR. Vercel also processes your personal data in the USA. An adequacy decision by the EU Commission exists for data transfers to the USA. Vercel is certified within the scope of this decision. In addition, standard contractual clauses have been concluded with Vercel to oblige Vercel to maintain an adequate level of data protection. You can obtain a copy of the standard contractual clauses at https://vercel.com/legal/dpa.

7. Plausible Web Analytics Software

We use Plausible web analytics software to make our website better and more user-friendly. The provider is Plausible Insights OÜ (Västriku tn 2, 50403, Tartu, Estonia). Plausible does not collect or store any personal data of individual visitors, but only evaluates the access data in aggregated form. Specifically, Plausible uses the following data categories: content of the request (specific website), referrer URL (the previously visited website), browser, operating system, device type, country, region, city.

The legal basis for processing is Art. 6(1)(f) GDPR. Our legitimate interests lie in the analysis and improvement of our website. Your data is only stored for analysis purposes in aggregated, non-personal form.

1. General Information

We maintain publicly accessible profiles on various social networks (hereinafter collectively referred to as “our profiles”). Your visit to our profiles triggers a number of data processing operations. Below, we provide an overview of which of your personal data we collect, use, and store when you visit our profiles. You are not obliged to provide us with your personal data. However, this may be necessary for individual functions of our profiles on social networks. These functions will not be available to you or will only be available to a limited extent if you do not provide us with your personal data.

When you visit our profiles, your personal data is collected, used, and stored not only by us, but also by the operators of the respective social network. This also happens if you do not have a profile on the respective social network yourself. The individual data processing operations and their scope vary depending on the operator of the respective social network and are not necessarily traceable to us. Details about the collection and storage of your personal data, as well as the nature, scope, and purpose of its use by the operator of the respective social network, can be found in the privacy policies of the respective operator:

a) Instagram

The privacy policy for the social network Instagram, operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, can be viewed at https://privacycenter.instagram.com/policy.

b) Mastodon

The privacy policy for the social network Mastodon can be viewed at https://masto.ai/privacy-policy.

c) LinkedIn

The privacy policy for the social network LinkedIn, operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, can be viewed at https://ch.linkedin.com/legal/privacy-policy.

d) Facebook

You can view the privacy policy for the social network Facebook, which is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, at https://www.facebook.com/privacy/policy/?locale=de_DE.

e) YouTube

The privacy policy for the video platform YouTube, operated by YouTube, LLC (headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA), a subsidiary of “Google” (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA), can be viewed at https://policies.google.com/privacy?hl=de.

2. Communication with Users

Our profiles are used for public relations purposes relating to our association and for communicating and establishing contact with potential non-profit organizations and volunteers. When using our profiles, we process personal data such as your name, profile picture, and information that you have provided when using interactive features (e.g., commenting, sharing, and rating). The legal basis for the operation of our profiles and the processing of personal data is Art. 6(1)(f) GDPR. Our legitimate interest lies in the public relations work of our association.

When you visit our profiles, data may be processed outside the European Union, in particular in the USA. The EU Commission has issued an adequacy decision for data transfers to the USA. The social media providers mentioned are certified within the scope of this decision. Further information on possible data transfers to third countries and the relevant legal basis can be found in the privacy policies of the social networks.

We have no influence on the storage period of your personal data that you have published on our profiles. We store your data until the purpose of processing has been achieved or we restrict processing if there are legal storage obligations. Further information on data protection and the storage period can be found in the social network privacy policies linked above.

The operators of the social networks on which we maintain our profiles provide us with anonymized statistical evaluations of interactions with our profiles. We use this data to improve the user experience on our profiles. It is not possible for us to draw conclusions about individual users or access individual user profiles. Our legal basis for processing the information from the statistical analysis is Art. 6(4) GDPR in conjunction with Art. 6(1)(f) GDPR. Our legitimate interest in statistical analysis lies in improving and adapting our advertising measures based on the information collected and the opportunity to learn more about user interaction on our profiles.

According to the case law of the European Court of Justice, the use of statistical evaluations may, under certain circumstances, be classified as data processing under the joint responsibility of the social network operator and the profile owner. Against this background, we have concluded a joint responsibility agreement in accordance with Art. 26 GDPR with the following social network operators:

a) LinkedIn

You can view the joint responsibility agreement for LinkedIn Page Insights at https://legal.linkedin.com/pages-joint-controller-addendum.

b) Facebook

You can view the joint responsibility agreement for Instagram and Facebook Page Insights at https://www.facebook.com/legal/controller_addendum.