Privacy
Table of Contents
Hosting #
If you do not register or log in as a visitor, we collect the following data in so-called log files that your browser transmits:
IP address, date and time of the request, time zone difference to Greenwich Mean Time, content of the request, HTTP status code, amount of data transferred, website from which the request came and information about the browser and operating system.
This is necessary to display our website and to ensure stability and security. This corresponds to our legitimate interest within the meaning of Art. 6 para. 1 p. 1 lit. f DSGVO.
We use the following hoster for the provision of our website.
netcup GmbH Daimlerstraße 25 D-76185 Karlsruhe
This is the recipient of your personal data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to have to maintain a server on our premises ourselves. Server location is Germany.
You have the right to object to the processing. Whether the objection is successful is to be determined within the framework of a balancing of interests.
The data will be deleted after 14 days.
The processing of the data provided under this section is not required by law or contract. The functionality of the website is not guaranteed without the processing.
Technical notes #
In addition to the server log files, personal data may also be processed by the application used and its plugins. This includes, among other things, the logging of incorrect login attempts, or accesses to non-existent pages (404). This should be checked and supplemented accordingly.
In the event of storage, it should also be stated how long this takes place and whether and from when anonymization of the collected data takes place.
Legal information #
In principle, an order processing contract must be concluded with the hoster. The Bavarian State Office for Data Protection Supervision has made an exception for the hosting of purely static websites. In the event that the website is used for self-expression, e.g. by associations or small businesses, no personal data flows to the operator and no tracking takes place, there is no commissioned processing. It goes on to say that “the fact that IP addresses, i.e. personal data, must inevitably be processed even when hosting static websites does not lead to the assumption of commissioned processing. That would not be appropriate. Rather, the (short-term) IP address storage is still attributable to the website hoster’s telecommunications access provision under the TKG and primarily serves the hoster’s security purposes.” https://www.lda.bayern.de/media/veroeffentlichungen/FAQ_Hosting_keine_Auftragsverarbeitung.pdf It should therefore be checked whether the hoster provides tracking and evaluation tools and whether and how long log files are kept.
Other purposes of data processing #
- Ensuring the stability and security of the website
- Evaluation of system security and stability
- Optimization of the website
- Checking whether illegal use has taken place
- Possibility of objection and removal
The frequently used reference that there is no possibility of objection on the part of the user does not correspond to the legal requirement. If the processing is based on the legitimate interest of the controller (Art. 6(1)(f) DSGVO), the right to object is not excluded per se. However, whether this is successful must be determined in the context of a balancing of interests. Even if in practice the legitimate interest of the website operator is likely to prevail, this does not mean that the right to object is excluded. Such wording should be corrected, as it may result in the data subject being prevented from exercising his or her right to object.
Recipient #
According to Art. 13. para. 1 lit. e DSGVO, there is an obligation to specify “the recipients or categories of recipients of the personal data”. It is often argued that recipients must be named and addressed as a matter of priority and that categories may only be used as an alternative. Another view is that there is a right to choose between naming recipients and specifying categories. (Cf. Daum: Mandatory information on websites MMR 2020 643 (646) with further references). Accordingly, it would be sufficient to specify “hoster” as the category. However, only clarity, if any, speaks in favor of this view. However, it is more in line with the purpose of the provision to state the name and address, especially since this is already known in the context of hosting (see Lorenz: Datenschutzrechtliche Informationspflichten (VuR 2019, 213 (216)).
Storage period #
To determine the storage period, the server and application settings should be checked, also to avoid inconsistencies between the stated purposes. For example, inconsistencies may arise if it is stated that data is deleted after each session, but at the same time it is intended to serve stability and security. A general statement that the data will be stored for as long as necessary for the stated purposes is not sufficient (cf. Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 13 Rn 15). Sufficient, however, is according to Art. 13 para. 2 lit a. DSGVO, the specification of criteria for determining the storage period is sufficient.)