AIDS Action Europe
c/o Deutsche AIDS-Hilfe e.V.
10963 Berlin, Germany
Chief Executive Officer: Silke Klumb und Peter Stuhlmüller
Types of processed data
- Inventory data (e.g., names, addresses)
- Contact information (e.g., e-mail)
- Content data (e.g., text input, pictures)
- Usage data (e.g., websites visited, interest in content, access times)
- Communication data (e.g., device information, IP addresses).
- Provision of the online performance, its features and contents.
- Replying on requests and communicating with users.
- Safety measures.
- Reach Measurement.
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means associated with personal data. The term goes far and includes practically every handling of data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal bases
Collaboration with processors and third parties
If we disclose, transmit or otherwise grant access to data to other persons and companies (contract processors or third parties) while processing, it happens only on the basis of a legal permission (e.g. if a transmission of the data to third parties, as required by payment service providers, pursuant to Art. 6 (1) lit. b. GDPR to fulfill the contract). Therefore you have consented to a legal obligation or based on our legitimate interests (e.g. the use of webhosts, etc.).
Third parties can only process data on the basis of a so-called "job-processing contract" on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or in the context of the use of third party services or disclosure or transmission of data to third parties, it will happen only for the reason to fulfill our (pre) contractual obligations, which is on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country, happen only in the presence of the special conditions of Art. 44 et seq. GDPR. The processing of data occur based on specific guarantees, such as the officially recognized level of data protection (e.g. for the US through the Privacy Shield) or compliance with officially recognized contractual obligations (so-called "standard contractual clauses").
Rights of data subject
You have the right to obtain from the controller confirmation as to whether data in question is being processed and for information about this data as well as for further information and a copy of the data in accordance with Art. 15 GDPR.
You have accordingly to Art. 16 GDPR the right to have the incomplete personal data completed or to obtain the rectification of inaccurate personal data.
In accordance with Art. 17 GDPR, you have the right to demand that the relevant data be deleted undue delay or, alternatively, to require a restriction of the processing of data in accordance with Art. 18 GDPR.
You have the right to receive data referring to you, which you have provided to us, in accordance with Art. 20 GDPR and to request their transmission to other responsible persons.
You have according to Art. 77 GDPR the right to lodge a complaint with the competent supervisory authority.
You have the right to withdraw your consent in accordance with. Art. 7 (3) GDPR with effect for the future.
Right to object
You have the right to object to the future processing of your data in accordance with Art. 21 GDPR at any time. The objection may in particular be made against processing for direct marketing purposes.
Cookies and right to object in direct mail
“Cookies" are small files that are stored on users' computers. Different information can be stored within the cookies. A cookie is primarily used to store the information about a user (or the device on which the cookie is stored) during or after their visit to a website. Temporary cookies, like "session cookies" or "transient cookies", are cookies that are deleted after a user leaves the website and closes his browser. Such cookies store contents of a shopping cart in an online store or a log-in session. The term "permanent" or "persistent" refers to cookies that remain stored even after the browser has been closed. Thus, e.g. the log-in status will be still saved if users visit it after several days. Likewise, such a cookie can store the interests of a user, which are used for range measurement or marketing purposes. The "third-party cookie" is offered by providers other than the person responsible for the online offer (otherwise, if there are just the cookies of the person responsible they are called "first-party cookies").
If users do not want cookies stored on their computer, they can disable the option in their browser's system settings. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this website.
Right to erasure
If the data is not deleted because it is required for other and legitimate purposes, its processing will be restricted. In this case, the data is blocked and will not be processed for other purposes. This applies, for example for data that must be kept for financial, commercial or tax reasons.
According to legal information in Germany, the retention ensue in particular for 6 years pursuant to § 257 paragraph 1 HGB (“Handelsgesetzbuch”: trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents, etc.) and § 10 paragraph 1 AO (books, records, management reports, and other), and 10 years pursuant to § 147 Abs. 1 AO (“Abgabenordnung”: books, records, management reports, accounting records, trade and business letters, tax documents, and others).
We host our website to provide the following services: infrastructure and platform services, computing capacity, storage and database services, security and technical maintenance services, which we use to operate on the website.
We, respectively our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to our online service on the basis of our legitimate interests in an efficient and secure provision of our website according to Art. 6 (1) lit. f GDPR in connection to Art. 28 GDPR (in conclusion of a job-processing contract).
Collection of access data and log files
We, respectively our hosting provider, collects based on our legitimate interests, according to Art. 6 (1) lit. f GDPR, data on every access to the server on which this service is located (so-called server log files). The access data includes name of the retrieved web page, file, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of 7 days and then deleted. Data whose further retention is required for evidential purposes shall be excluded from the erasing until the final clarification of the incident.
Website registration and Contact form
Users can create a user account. As part of the registration, the required mandatory information is accessible on their online profile. The data entered during registration will be used for the purpose of using the website service. Users may be informed by e-mail about their registration-related information, such as changes in the scope of the offer or technical circumstances. When users terminate their user account, their data will be deleted with regard to the user profile data, subject to their necessary storage is for commercial or tax law reasons according to Art. 6 (1) lit. c GDPR. It is the responsibility of the users to store their data upon termination before the end of the registration. We are entitled to irretrievably delete all user data stored during the term of the registration.
As part of the online website offer of our website registration and login as same as the use of user accounts, the IP address and the time of the respective user action will be saved. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. Transfer of these data to third parties does not take place, unless it is necessary for the prosecution of our claims or there is a legal obligation in accordance with. Art. 6 (1) lit. c GDPR. The IP addresses will be anonymized or deleted after 7 days at the latest.
When contacting us (for example, by contact form, e-mail, telephone or via social media) the information of the user is processed on the contact request and its processing in accordance with Art. 6 (1) lit. b GDPR. User information can be stored in a Customer Relationship Management System ("CRM System") or comparable request system.
We delete the requests, if they are no longer required. We check the necessity every two years; furthermore, there apply the legal archiving obligations.
The following paragraph gives you information about the content of our newsletter as well as its registration, mailing and statistical evaluation procedures such as the right of objection. By subscribing to our newsletter, you agree to receive it and to its related procedures which are described here.
Content of the newsletter: Newsletters, e-mails and other electronic notifications with work-related information (hereinafter just "newsletter") are distributed only with the consent of the recipient or a legal permission. By subscribing to AAEs’ newsletter you receive concretely description on its receipt; they are authoritative for the consent of the users. Incidentally, our newsletter contains information about our work and us.
Double opt-in and logging: The registration process to our newsletter is done by a so-called double-opt-in procedure. After registration, you receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with your personal e-mail addresses. The registration for the newsletter will be logged in order to prove the registration process according to its legal requirements. This includes the storage of the registration and the confirmation time, as well as the IP address. Likewise, all changes to your data stored at the shipping service provider are logged, too.
Registration data: In order to register for the newsletter, it is sufficient to enter your e-mail address.
The distribution of the newsletter and the associated performance statistics is based on the consent of the recipient according to Art. 6 (1) lit. a and Art. (7) GDPR.
The logging of the registration process is based on our legitimate interests in accordance with. Art. 6 (1) lit. f GDPR. We are interested in a user-friendly and secure newsletter system, which serves both our business interests and the expectations of the users. Furthermore, it also allows us to prove our consent.
Withdrawal/unsubscribe - You may cancel the receipt of our newsletter at any time, respectively you can withdraw your consent at any time. The link to unsubscribe from the newsletter can be found at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before deleting them for the purpose of sending out newsletters in order to provide evidence of prior consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for cancellation is possible at any time, provided that at the same time the former existence of consent is confirmed.
Newsletter – Service provider
If you would like to receive the newsletter we offer, we need your e-mail address and further information that allows us to verify your address to receive the newsletter.
The newsletter provider is MailChimp®. The system transmit your data to MailChimp. MailChimp is prohibited from selling and using your data for purposes other than sending newsletters. It is a certified provider, which was selected according to the requirements of the General Data Protection Regulation and the Federal Data Protection Act.
MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework. They are committed to subjecting all Personal Information received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view their certification, visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome. A list of Privacy Shield participants is maintained by the Department of Commerce and is available at: https://www.privacyshield.gov/list.
MailChimp is responsible for the processing of data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. They comply with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
As part of the Google analytics range analysis the following data is processed, based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online performance as defined in Art. 6 (1) lit. f GDPR): the type of browser you use and the browser version, the operating system you are using, your country of origin, the date and time of the server request, the number of visits, how long you have spent on the site, and the external links you have activated. The IP address of the users is anonymized before being saved.
We maintain online performance within social media in order to communicate with members, partners and other active users active and to inform them about our work. When opening our profile at the social media platforms, the terms and conditions and data processing guidelines apply of the social media operators.
Berlin, May 2018