Data privacy
Please find below our statement on the processing of personal data by our company in accordance with the legal requirements, especially the EU General Data Protection Regulation (GDPR – available here).
Contents:
II. Itemisation of data processing operations
1. General information about the data processing operations
3. Customer feedback or contact with the customer service department
4. Right to erasure (“right to be forgotten”)
5. Right to restriction of processing
I. General information
This section of the privacy statement contains information on the scope of validity, the person responsible for data processing, the data protection officer and data security. It begins with a list of definitions of important terms used in the data privacy statement.
1. Definition of main terms
Browser: Computer program used to display websites (e.g. Chrome, Firefox, Safari)
Cookies: Text files placed on the user’s computer by the web server by means of the browser which is used. The stored cookie information may contain both an identifier (cookie ID) for recognition purposes and content data, such as login status or information about websites visited. The browser sends the cookie information back to the web server with each new request on subsequent repeat visits to these sites. Most browsers accept cookies automatically.
Third countries: Countries outside the European Union (EU)
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – available here
Personal data: All information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by association with an identifier, such as a name, an identification number, location data, an online identifier or one or more special features which constitute an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
Profiling: Any type of automated processing of personal data which involves the use of these personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects pertaining to the working capacity, economic situation, health, personal preferences, interests, reliability, behaviour, residence or change of location of this natural person
Services: Our offers to which this data privacy statement applies (cf. Scope of validity)
Tracking: The collection of data and their evaluation with regard to the attitude of visitors to our services
Tracking technologies: Actions can be tracked either via the activity records (log files) stored on our web servers or by collecting data from end devices via pixels, cookies and similar tracking technologies.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Pixel: Pixels are also called tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML emails or on websites. When a document is opened, this small image is downloaded from a server on the Internet and the download is registered there. This allows the operator of the server to see if and when an email has been opened or a website has been visited. This function is usually carried out by calling up a small program (JavaScript). Certain types of information can be detected on your computer system in this way and shared, such as the content of cookies, the time and date of the visit, and a description of the page on which the tracking pixel is located.
2. Scope of validity
This data privacy statement applies to the following offers:
- our online offering “BCN” (website), mainly available at brand-community-network.com,
- whenever reference is made to this data privacy statement from one of our offers (e.g. websites, subdomains, mobile applications, web services or links to third-party sites), regardless of the way in which it is accessed or used.
All of these offers are also collectively referred to as “services”.
3. Controller
The following party is responsible for the processing of data in relation to the services, i.e. the party assuming the role of controller which involves determining the purposes and means of processing personal data:
BCN Brand Community Network GmbH
Arabellastraße 23
81925 München
Germany
4. Data protection officer
Contact details for our data protection officer:
Data protection inquiry form
or at the address given in section I.3 (marked for the attention of the data privacy department “z. Hd. Abteilung Datenschutz”) or:
email: bcn@datenschutzanfrage.de
II. Itemisation of data processing operations
This section of the data privacy statement contains detailed information about the processing of personal data in the context of our services. The information is subdivided for greater clarity into certain functions in connection with our services. Where the services are used in the normal way, different functions and therefore also different processing operations can be implemented consecutively or simultaneously.
1. General information about the data processing operations
The following applies to all the processing operations listed below, unless stated otherwise:
a) No obligation to provide personal data & consequences of failure to provide such data
The provision of personal data is not required by law or contract, and you are under no obligation to provide any data. We will inform you during the data entry process when personal information needs to be provided for the relevant service (e.g. by indicating “mandatory field”). In cases where the provision of data is required, the consequence of not providing data will be that the service in question cannot be provided. Otherwise, failure to provide data may result in our inability to provide our services in the same form and quality.
b) Consent
In various cases, you may also grant us your consent to the further processing of data (or some of the data, where applicable) in connection with the operations listed below. In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all the procedures and the scope of the consent and about the purposes which we pursue in these processing operations. The processing operations based on your consent are therefore not listed again here (Art. 13 (4) GDPR).
c) Transfer of personal data to third countries
When we send data to third countries, i.e. countries outside the European Union, then the data are transmitted strictly in compliance with the statutory conditions of admissibility.
If the transmission of the data to a third country does not serve the purpose of fulfilling our contract with you, if we do not have your consent, if the transmission is not required for asserting, exercising or defending legal claims, and if no other exemption applies under Art. 49 GDPR, we will only transmit your data to a third country if in possession of an adequacy decision pursuant to Art. 45 GDPR or appropriate safeguards under Art. 46 GDPR.
We meet the requirements for verification of the appropriate safeguards pursuant to Art. 46 (2) c) GDPR and of an adequate level of data protection in the third country through the agreement of the standard EU data protection clauses adopted by the European Commission with the receiving body. Copies of the standard EU data protection clauses are available on the website of the European Commission here.
d) Hosting at external service providers
Our data processing work is carried out to a large extent with the involvement of hosting service providers who provide us with storage space and processing capacities at their data centres and who also process personal data on our behalf according to our instructions. It may be the case that personal data are transmitted to hosting service providers in respect of all of the functions listed below. These service providers process data either exclusively in the EU or subject to guaranteed levels of data protection which we have put in place based on the standard EU data protection clauses (cf. subsection c).
e) Transmission to government authorities
We send personal data to government authorities (including law enforcement agencies) when required to fulfil a legal obligation to which we are subject (legal basis: Art. 6 (1) c) GDPR) or when it is necessary for the assertion, exercise or defence of legal claims (legal basis: Art. 6 (1) f) GDPR).
f) Period of storage
The time specified in the “period of storage” paragraph indicates how long we use the data for the relevant purposes in any given case. At the end of this period, the data will no longer be processed by us but will be erased at regular intervals, unless continued processing and storage are required by law (in particular because it is necessary to fulfil a legal obligation or to assert, exercise or defend legal claims) or unless you grant us extended consent.
g) Functional life of cookies
Some of the data processing operations outlined in the following sections are carried out using cookies. The information stored in a cookie can only be accessed via the Internet by the operator of the web server which originally set the cookie. It cannot be accessed in this way by third parties. The cookies function for different lengths of time. Some cookies are only active during a browser session and are deleted afterwards whereas others function for longer periods of time, but usually for less than a year. Cookies which are no longer active will be deleted by the browser. Cookies can be managed using the browser functions (usually under “Options” or “Settings”. The storage of cookies may be disabled in this way or it may be made subject to the user’s approval in any given case or otherwise restricted. Cookies may also be deleted at any time.
h) Data categories
The category names listed below are used for specific types of data in the following sections:
- Personal master data: Title, salutation/gender, forename, surname, date of birth
- Contact data: Telephone number(s), fax number(s), email address(es)
- Login data: Information about the service via which you logged on; times and technical information on login, authentication and logout; data entered by you when logging on
- Newsletter user profile data: Opening of newsletter (date and time), contents, selected links, as well as the following information relating to the computer system accessing the newsletter: Internet Protocol address used (IP address), browser type, browser version, device type, operating system and similar technical information
- Access data: Date and time of visit to our service; the page from which the system accessed our site; pages visited during the session; session identification data (session ID), as well as the following information relating to the computer system accessing the service: Internet Protocol address used (IP address), browser type, browser version, device type, operating system and similar technical information
2. Accessing our services
The passages below set out how your personal data are processed when you access our services (e.g. loading and viewing the website, opening the mobile app and navigating within the app). We also use tools which are technically or legally necessary which do not themselves collect any data (such as the Google Tag Manager) but serve only to manage and operate other tools or to manage consent statements which you have issued (Consent Management Platform). Please note that it is impossible not to send access data to external content providers (cf. subsection b) due to the technical processes involved in transmitting information over the Internet. The third-party providers are themselves responsible for the privacy-compliant operation of the IT systems which they use. The service providers are required to decide how long the data will be stored.
a) Purposes of data processing, legal basis, legitimate interests (where applicable), and period of storage
Data category:
Purpose:
Establishing connection; presenting contents of the service; detecting attacks on our site due to unusual activities; fault diagnosis
Legality of processing:
Our legitimate interest:
Proper functioning of the services; security of data and business processes; prevention of misuse; prevention of loss and damage through interference in information systems
Period of storage:
4 weeks
b) Recipients of the personal data
Recipient category:
External content providers who provide content which is needed to display the service (e.g. images, videos, embedded postings from social networks, banner ads, fonts, update information, shortened links)
Data concerned:
Legal basis:
Our legitimate interest:
Proper functioning of services; (accelerated) display of content
Recipient category:
IT security service providers
Data concerned:
Legal basis:
Our legitimate interest:
Prevention of attacks through exploitation of security gaps/vulnerabilities
3. Customer feedback or contact with the customer service department
The tables below show how your personal data are processed when you send us enquiries.
a) Purposes of data processing, legal basis, legitimate interests (where applicable), and period of storage
Data category:
Personal master data; contact details; content of enquiries/complaints
Purpose:
Processing of customer enquiries and user complaints
Legality of processing:
Our legitimate interest:
Improvement of our service; increase in customer loyalty
Period of storage:
During the processing of the enquiry
b) Recipients of the personal data
Recipient category:
Publisher of the brand offering the service if not BCN
Data concerned:
email address; address data; content of enquiries/complaints
Legal basis:
Our legitimate interest:
Customer relationship management
4. Newsletter subscriptions
The tables below show how your personal data are processed when you subscribe to a newsletter:
a) Purposes of data processing, legal basis, legitimate interests (where applicable), and period of storage
Data category:
email address
Purpose:
Verification of the application (double opt-in procedure); sending of the newsletter
Legality of processing:
Period of storage:
Duration of newsletter subscription
Data category:
Purpose:
Personalisation of newsletter
Legality of processing:
Period of storage:
Duration of newsletter subscription
Data category:
Purpose:
Traceability of newsletter registration/confirmation/deregistration
Legality of processing:
Our legitimate interest:
Proof of successful newsletter registration/confirmation/deregistration
Period of storage:
Duration of newsletter subscription
Data category:
Newsletter user profile data and any interests which may have been specified in the profile administration process
Purpose:
Reflection of interests in the composition of the newsletter
Legality of processing:
Our legitimate interest:
Improvement of our service, promotional purposes
Period of storage:
Duration of newsletter subscription
b) Recipients of the personal data
Recipient category:
Newsletter distribution service providers
Data concerned:
All data listed under (a) in this section
Legal basis:
5. Tracking & usage analysis
We explain in this section in which cases your personal data will be processed to analyse the use of our services when you use our services, and we explain when tracking technologies will be used to track and evaluate the behaviour of visitors for various purposes, such as showing them advertisements tailored to their interests.
BCN Brand Community Network GmbH has signed up to the IAB Europe Transparency & Consent Framework and complies with its specifications and guidelines. BCN Brand Community Network GmbH uses the Consent Management Platform with ID number 3.
- Usage analysis based on legitimate interests (Art. 6 (1) f) GDPR)
We carry out usage analyses on the legal basis of Art. 6 (1) f) GDPR, i.e. after weighing up the relevant interests. A summary of the technologies and services used can be found here along with an explanation of each service, how it works and which data are included in the processing operations.
Our brief in the pursuit of our legitimate interests in this regard is as follows:
-
- to review our services, to improve and adapt them to the needs of the users, and to correct errors;
- to produce statistics on the use of our services (reach, intensity of use, surfing habits of users) – on the basis of uniform standard procedures – and thereby to obtain comparable figures across the market in order to optimise the marketing of our services;
- to measure the success of advertising campaigns, to improve our advertisements going forward and to enable marketing companies and advertisers in turn to optimise their advertisements.
Can I object to the collection and evaluation of data?
Yes. Please click here to object to the processing operations where this option is required in any given case.
- Tracking on the legal basis of consent pursuant to Art. 6 (1) a) GDPR
We carry out tracking processes subject to your consent. The type and scope of the tracking is explained in the consent list. Please note that if consent is not requested, there will be no tracking processes on this basis.
Consent is voluntary. It is granted by enabling or disabling our services as appropriate in the consent list where you will find all necessary information about the type and scope of data processing.
Can I revoke my consent?
Once granted, consent may be revoked at any time with future effect. Click here to opt to revoke your consent. This will not affect the legality of the processing operations until such time as the revocation takes effect.
III. Rights of data subjects
1. Right to object
If we process your personal data for direct marketing purposes, you have the right to object to the processing of personal data relating to you for the purpose of such advertising at any time with future effect; this also applies to profiling insofar as it is associated with such direct marketing.
You also have the right, at any time with future effect and for reasons pertinent to your particular situation, to object to the processing of personal data relating to you in accordance with Art. 6 (1) e) or f) GDPR; this also applies to any profiling based on these provisions.
The right to object may be exercised free of charge. Please use the form provided under the following link so that your request can be processed more quickly:
Data protection inquiry form
Alternative ways of reaching us include using the contact details in section I.4.
2. Right of access
You have the right to request confirmation from us as to whether personal data relating to you are being processed and, where applicable, to ask for information about such personal data and the other information listed in Art. 15 GDPR.
3. Right to rectification
You have the right to obtain from us without undue delay the rectification of incorrect personal data concerning you (Art. 16 GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
4. Right to erasure (“right to be forgotten”)
You have the right to ask us to erase personal data relating to you without undue delay if one of the reasons listed in Art. 17 (1) GDPR is applicable and the processing operations are not required for one of the purposes approved in Art. 17 (3) GDPR.
5. Right to restriction of processing
You are entitled to ask for the processing of your personal data to be restricted if one of the conditions set out in Art. 18 (1) a) to d) GDPR is met.
6. Right to data portability
Under the conditions set out in Art. 20 (1) GDPR, you have the right, in respect of the personal data which you have given us, to be provided with these data in a structured, commonly used and machine-readable format and the right to send these data to another controller without any obstruction on our part. In exercising the right to data portability, you have the right to ask for the personal data to be transmitted directly by us to another controller where this is technically feasible.
7. Right to withdraw consent
If the processing is based on your consent, you have the right to revoke your consent at any time. This will not affect the legality of the processing operations on the basis of your consent until such time as the revocation takes effect.
8. Right of appeal
You have a right to appeal to the supervisory authority responsible for our company. The supervisory authority responsible for our company is as follows:
Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, http://www.lda.bayern.de