Data Protection


Data Protection Statement in accordance with the General Data Protection Regulation (GDPR)

 

I. Name and address of responsible party
The responsible party in the sense of the General Data Protection Regulation and other national data protection laws by member states as well as other legal data protection provisions is:
IBIS Prof. Thome AG
Telephone: +49 931 73046 500
Fax: +49 931 73046 99 500
Email: info@ibis-thome.de
web site: www.ibis-thome.de

 

II. Name and address of data protection officer
The responsible party’s data protection officer is:
Attorney
Konstantin Malakas
Steinbachtal 2b
97072 Würzburg
Telephone. +49 931 29 98 08-0
Fax: +49 931 29 98 08-8
Email: dsb@ibis-thome.de
Web sites: www.malakas.de; www.weblawyer.de

 

III. General information regarding data processing
1. Scope of processing of personal information
In principle, we collect and use our users’ personal information only to the extent necessary to provide a functional web site and our contents and services. The collection and use of our users’ personal information takes place on a periodical basis only after the user’s consent has been obtained. An exception is made in cases where it is impossible to obtain prior permission due to practical reasons and the processing of the data is allowable under legal provisions.

2. Legal basis for the processing of personal information
Whenever we obtain the consent of the person concerned for the processing of personal information, this is carried out within the legal framework of Art. 6 Par. 1 lett. a EU General Data Protection Regulation (GDPR).
In the processing of personal information necessary to fulfill a contract to which the person concerned is a contractual party, Art. 6 Par. 1 lett. b GDPR provides the legal framework. This also applies to processing required to carry out pre-contractual measures.
Where processing of personal information is required to fulfill a legal obligation to which our company is subject, this is done within the legal framework of Art. 6 Par. 1 lett. c GDPR.
In the event that vital interests of the person concerned or another natural person require processing of personal information, Art. 6 Par. 1 lett. d GDPR provides the legal framework.
Where processing is required to safeguard a justified interest of our company or a third party and these are not outweighed by the interests, fundamental rights or fundamental freedoms of the person concerned, Art. 6 Par. 1 lett. f GDPR provides the legal framework.

3. Deletion of data and duration of data retention
The personal information of the person concerned will be deleted or blocked as soon as the purpose of retaining such information has lapsed. Retention can also occur when it is stipulated under European or national law in regulations, laws or other provisions which are legally valid in the EU and to which the responsible parties are subject. Blocking or deletion of data also occurs upon the lapse of a prescribed retention period under the standards mentioned above unless further retention of the data is required for the conclusion or fulfillment of a contract.

 

IV. Provision of the web site and creation of log files
1. Description and scope of data processing

Each time our Internet site is accessed, our system automatically collects data and information from the accessing computer’s system.
The following data are collected in this process:
(1) information regarding the browser type and the version being used
(2) the user’s operating system
(3) the user’s Internet service provider
(4) the user’s IP address
(5) date and time of access
(6) web sites from which the user’s system accessed our Internet page
(7) web sites accessed from the user’s system via our web site
These data are also retained in our system’s log files. These data are not retained together with other personal information of the user.

2. Legal basis for data processing
The legal basis for the temporary retention of data and log files rests on Art. 6 Par. 1 lett. f GDPR.

3. Purpose of data processing
Temporary retention of the IP address by the system is required to allow the web site to be provided to the web site on the user’s computer. This process requires retention of the user’s IP address for the duration of the session.
Retention in the log files takes place to ensure the web site’s functionality. Moreover, the data enable us to optimize the web site and safeguard the security of our technical information systems. Review of the data for marketing purposes does not occur in this regard.
For such purposes, our justified interest in the data processing is based on Art. 6 Par. 1 lett. f GDPR.

4. Duration of retention
The data will be deleted at the point where they are no longer needed to achieve the purpose for which they were collected. Where data are collected to provide access to the web site, this point is reached when the respective session has been completed.
Where data is retained in log files, this occurs after 14 days. Further retention is a possibility. Where this occurs, users’ IP addresses are pseudonymized or anonymized to prevent any association with the accessing client.

5. Option for objection and removal
The collection of data for the accessing of the web site and the retention of the data in log files are essential to the operation of the Internet page. As a result, the user has no option to object to this collection.

 

V. Use of cookies
1. Description and scope of data processing
In designing our offer to be as user-friendly as possible, we employ cookies.
A cookie is a small text file sent by our web server at the IBIS Prof. Thome AG (for example, the web server at www.ibis-thome.de) to your browser whenever you visit a web page. This cookie contains a unique character string that facilitates precise identification of the browser when the web site is accessed again. Session cookies expire at the end of a browser session and can only capture your actions during this single browser session. In contrast, permanent cookies continue to be retained on your terminal even between different browser sessions and can capture your settings or actions on multiple web pages.
In principle, cookies present no risk to your computer since they are merely text files, not executable programs.
On one hand, the cookies used by the IBIS Prof. Thome AG (www.ibis-thome.de) facilitate use of our web site, while on the other hand they permit market research and advertising efforts as well as the compiling of usage statistics. We also employ cookies in the context of web tracking, using them as the basis for personalized contents.
Besides session cookies, which are deleted when you terminate your browser session, we also store permanent cookies on your computer. These cookies are retained until you delete them. No personal information is retained in the cookies we use.
Depending on your browser setting, cookie files are either retained or rejected. If they are retained, our web server is able to detect your terminal. In later sessions and in moving between functions that require you to enter a password, the cookie assists you in avoiding having to re-enter certain information. In this way, cookies facilitate the use of our web pages that require user input. In addition, cookies can assist us in being able to custom-tailor web offers to match your interests.
If you prefer that these actions not take place, you can deactivate cookies as follows:
Set your browser to reject our cookies if you prefer to use our web sites without cookie functionality. The steps required for you to establish these settings can vary from one browser to the next, and we are therefore unable to provide you with more precise guidance here.
If your browser is already set to warn you each time it receives a cookie, you can then decide on a case-by-case basis whether you wish to allow the cookie to be stored. Since it will be necessary for our identification cookie to be re-sent each time you access the web site, you may soon find these messages quite inconvenient.
For this reason, we recommend that you set your browser to accept cookies from www.ibis-thome.de each time they are sent. It is possible for you to establish this setting for individual web pages. In this case, for example, your text inputs will be retained in form fields for future queries, and you will not need to re-enter your information each time you visit our web sites. In addition, we will then be able to offer you contents tailored to your personal interests.
Some elements of our Internet site require the accessing browser to be identifiable each time a new page is accessed.
For these purposes, the following information is retained in the cookies and transmitted:
(1) Language settings

User data captured in this way are anonymized through technical means. This prevents the information from being associated with the accessing user. The data are not stored together with other personal information pertaining to the user.
When users access our web site, an information layer provides information regarding the use of cookies for analytical purposes and refers users to this Data Protection Statement. Information is also provided here on how to set the browser to prevent the storage of cookies.
You can find further information on using or deactivating cookies at www.meine-cookies.org or www.youronlinechoices.com.
For security purposes, regardless whether cookies are stored, you will need to log in again each time you access areas of our web site that require you to register.

a) Third-party cookies
The IBIS Prof. Thome AG also incorporates third-party contents at the IBIS Prof. Thome’s web site. These third parties can store cookies on your computer when you access our web pages and in this way determine that you have accessed our web pages via www.ibis-thome.de. We invite you to access the third-party web sites to obtain further information on their use of cookies. If you have made the decision not to permit sharing of cookies or to object to such actions (deactivate the cookies), you will only have access to functions we can provide at our web site without these cookies.
b) Social media (Facebook, Google+ and YouTube, Twitter)
You can also find our company’s services on-line through social networks provided on the Internet by other companies (Facebook, Google and YouTube, Twitter).
You can use these services only by registering and logging into each social network. You should therefore be aware that each social network’s terms of use and data protection apply when using its respective services.
Our web site uses social plug-ins from the following social networks:
• Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland, identifiable through the Facebook logo (white “f” on a blue background)
• Google+, operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, identifiable through the Google+ logo (red “G” followed by “+1”)
• Twitter, a micro-blogging service of the U.S. Company Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, United States, identifiable through the Twitter logo (a blue bird)
• XING SE, Dammtorstraße 30, 20354 Hamburg
• LinkedIn, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland
• YouTube: YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, United States. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
Whenever you access one of our web pages containing a YouTube component, your browser establishes a direct connection to the YouTube servers. The contents of the components are transmitted directly to your browser by YouTube, which incorporates them into the web site.
By incorporating these components, YouTube and Google receive the information that you have accessed our company’s corresponding web site. If you are logged into YouTube, YouTube and Google can connect the session to your YouTube account.
If you prefer that your information not be transmitted to YouTube and Google in this way, you can prevent the transmission by logging off your YouTube account prior to accessing our web pages.

Because we have no influence on the scope of the data these service providers collect using their plug-ins, we are sharing what we know about it with you. Through its incorporated plug-ins, each service provider receives information that you have accessed the corresponding area of our web site. If you are logged into the respective service provider, that provider can associate this access directly with your account. If you interact with the plug-ins — by clicking the recommend button, for example — the corresponding information will be directly transmitted to the service provider and retained there. If you are not subscribed to a service provider, it is assumed that the respective service provider has gained knowledge of your IP address and retained it. If you are subscribed to a service provider and prefer that it not collect information about you through our Internet site and associate this information with the subscriber data stored by that service provider, you must log off that service provider prior to clicking on the social network’s button.
To request further information regarding the purpose and scope of data collection and the further processing and use of the data by Facebook as well the setting options available to you for the protection of your privacy, please consult the data protection guidelines of the respective service provider:
Facebook: https://www.facebook.com/privacy/explanation and http://www.facebook.com/full_data_use_policy
Google+ and YouTube: http://www.google.com/intl/de/policies/privacy/
Twitter: http://twitter.com/privacy
XING: https://privacy.xing.com/de/datenschutzerklaerung
LinkedIn: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

2. Legal basis for the processing of personal information
The legal basis for the processing of the data when the user has given consent is Art. 6 Par. 1 lett. a GDPR.
The legal basis for the processing of data transmitted in the course of using plug-ins is Art. 6 Par. 1 lett. f GDPR.

3. Purpose of data processing
The purpose of our use of technically necessary cookies is to simplify the use of web sites by the user. Some functions of our Internet site cannot be offered without employing cookies. For these functions, it is necessary for the browser to be identified even after moving to the next page.
The user data collected by technically required cookies are not used to create user profiles.
The use of analytical cookies occurs for the purpose of improving the quality of our web site and its contents. Through the use of analytical cookies, we learn how the web site is used and can in this way constantly refine our offerings.
Google uses cookies especially to compile web statistics.
We use cookies from social media providers to offer users the opportunity to interact with the additional services they use.
For such purposes, our justified interest in the data processing is based on Art. 6 Par. 1 lett. f GDPR.

4. Retention period
Cookies will be stored on the user’s computer and subsequently transmitted to our site. In this way, you as the user also have complete control over the use of cookies. By changing the settings on your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been retained can be deleted at any time. This can occur automatically.
With respect to the duration of retention by the respective social media providers and your rights and configuration options to protect your privacy, we refer you each service provider’s data protection guidelines, accessible via the links provided above.
Please note that when cookies are deleted, opt-out cookies may also be mistakenly deleted in the process, producing an unintended effect. If you delete all the cookies in your browser, you will then need to reset each respective opt-out cookie.

5. Objection and removal option
You have the option at all times to deactivate the cookie setting in your browser as described in Sec. V. 1. If no active deactivation occurs, removal is possible only through deletion on your system. There is no right of objection based on technical reasons.
With respect to objection and removal options provided by the respective social media providers and your rights and configuration options to protect your privacy, we refer you each service provider’s data protection guidelines, accessible via the links provided above

 

VI. Web analysis using Matomo
1. Scope of personal information processing
At our web site, we use the Matomo (https://matomo.org/) software to analyze our users’ web-surfing behavior. The software places a cookie in the user’s computer (see above regarding cookies). When individual pages of our web site are accessed, the following information is retained:

(1) three bytes of the IP address of the accessing user’s system (xxx.xxx.xxx.???)
(2) web page being accessed
(3) web site from which the user has connected to the accessed web site (referrer)
(4) subpages that are accessed from the accessed web site
(5) length of time spent at the web page
(6) frequency of access to the web page
(7) search terms entered
(8) frequency of page access

In this process, the evaluation software runs exclusively on our own servers. There is no retention of the user’s personal information since the IP address is anonymized. The software setting does not completely retain the IP address, instead masking 1 byte of the IP address (example: xxx.xxx.xxx.???). This action prevents the abbreviated IP address from being associated with the accessing computer.
There is no transfer of data to third parties.

2. Legal basis for the processing of personal information
The legal basis for the processing of the user’s personal information is Art. 6 Par. 1 lett. f GDPR until the user’s IP address is anonymized. This occurs at the earliest possible moment (see https://matomo.org/privacy/ ).

3. Purpose of data processing
The processing of the user’s personal information, which is anonymized at the earliest possible moment, allows us to analyze our users’ web-surfing behavior. By analyzing the data we collect, we are able to compile information regarding the use of the individual components of our web site. This assists us in continuously improving our web site and its user-friendliness.

4. Retention period
Because the data are anonymized, they are not deleted, remaining permanently available to us for purposes of analysis. No association with an individual user is possible. Matomo has made the commitment never to merge the data it collects with other databases — for the purpose of establishing a personal relationship, for example (see https://matomo.org/privacy/ ).

5. Objection and removal option
Matomo cookies are retained on the user’s computer, from where they are transmitted to our site. In this way, you as the user also have complete control over the use of cookies. By changing the settings on your Internet browser, you can deactivate or restrict the transmission of cookies at any time. Cookies that have already been retained can be deleted at any time. This can occur automatically. If cookies for our web site are deactivated, all web site functions may no longer be fully usable.
At our web site, we offer our users the option to opt out of the analysis process. This option adds a cookie to your system that signals that the user’s data are not to be retained. Please note that when cookies are deleted, opt-out cookies may also be mistakenly deleted in the process, producing an unintended effect.

Further information regarding Matomo Software’s privacy settings can be obtained at the following link: https://matomo.org/privacy/

 

VII. Rights of the persons concerned
If personal information concerning you is processed, you are a person concerned in the sense of the GDPR, and you are entitled to the following rights vis-a-vis the responsible parties:

1. Right to information
You can demand a statement from the responsible party indicating whether personal information concerning you is being processed by us.
If such processing is occurring, you can demand the following information from the responsible party:
(1) the purposes for which the personal information is being processed;
(2) the categories of personal information being processed;
(3) the receivers and the categories of receiver to which the personal information concerning you has been or is still to be disclosed;
(4) the anticipated duration of retention of the personal information concerning you or, should specific information regarding this matter not be possible, criteria for determining the retention period;
(5) the existence of a right to correct or delete the personal information concerning you, a right to restrict the responsible party’s processing of the information, or a right to contest this processing;
(6) the existence of a right to appeal to a regulatory authority;
(7) all available information regarding the data source if the personal information is not collected by the person concerned;
(8) the existence of automatic decision making including profiling in accordance with Art. 22 Pars. 1 and 4 GDPR and – at least in these cases – meaningful information regarding the logic involved as well as the scope and intended effect of such processing on the person concerned.
You have the right to demand to know whether the personal information concerning you is being transmitted to a third country or an international organization. In this context, you can demand to be informed regarding the specific guarantees under Art. 46 GDPR in connection with the information transfer.

2. Right to rectification
You have a right to rectification and/or completion vis-a-vis the responsible party to the extent that the processed personal information concerning you is incorrect or incomplete. The responsible party must promptly carry out the rectification.

3. Right to restrict processing
Under the following conditions, you can demand restriction of the processing of personal information concerning you:
(1) if you dispute the accuracy of the personal information concerning you for a period that allows the responsible party to check the accuracy of the personal information;
(2) if the processing is unlawful and you decline deletion of the personal information, demanding instead restriction of the use of the personal information;
(3) if the responsible party no longer has need of the personal information for the purposes of the processing but you need the information to assert, exercise or defend against a legal claim, or
(4) if you have filed an objection to the processing in accordance with Art. 21 Par. 1 GDPR and it remains uncertain whether the responsible party’s justified reasons outweigh your own reasons.
If the processing of the personal information concerning you has been restricted, such data – apart from their retention – may only be processed with your consent or to assert, exercise or defend against a legal claim or to protect the rights of another natural person or legal entity or based on a significant public interest on the part of the Union or a member state.
If the processing restriction is carried out under the above-mentioned conditions, you will be informed by the responsible party prior to any lifting of the restriction.

4. Right to deletion
a) Deletion responsibility
You can demand that the responsible party immediately delete the personal information concerning you, and the responsible party is required to delete these data provided that one of the following reasons applies:
(1) The personal information concerning you is no longer needed for the purposes for which it was collected or otherwise processed.
(2) You revoke your consent on which the processing is based in accordance with Art. 6 Par. 1 lett. a or Art. 9 Par. 2 lett. a GDPR and no other legal basis for the processing exists .
(3) You file an objection to the processing in accordance with Art. 21 Par. 1 GDPR and there are no overriding reasons for the processing, or you file an objection to the processing in accordance with Art. 21 Par. 2 GDPR.
(4) The personal information concerning you was unlawfully processed.
(5) The deletion of the personal information concerning you is required for fulfillment of a legal obligation under Union law or the law of a member state to which the responsible party is subject.
(6) The personal information concerning you was collected in relation to provided information society services in accordance with Art. 8 Par. 1 GDPR.
b) Disclosing information to third parties
If the responsible party has disclosed the personal information concerning you and if that party is required to delete the information in accordance with Art. 17 Par. 1 GDPR, the party must inform those responsible for processing these data that, as a person concerned, you have demanded the deletion of all links to this personal information or from copies or replicas of this personal information.
c) Exceptions
The right to deletion does not exist if the processing is required
(1) for exercise of the right of freedom of expression and information;
(2) to fulfill a legal obligation requiring the processing under the law of the Union or its member states to which the responsible party is subject, or to carry out a duty in the public interest or in the exercise of official authority granted to the responsible party;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 Par. 2 letts. h and i and Art. 9 Par. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes in accordance with Art. 89 Par. 1 GDPR to the extent that the right designated under section a) is expected to preclude or seriously affect the achievement of the goals of this processing, or
(5) to assert, exercise or defend against legal claims.

5. Right to information
If you have asserted against the responsible party your right to rectify or delete the data or restrict its processing, that party is obligated to communicate to all receivers of the data this rectification or deletion of the data or restriction of its processing unless this proves to be impossible or involves disproportionate effort.
You have the right to be informed by the responsible party regarding these receivers.

6. Right to data portability
You have the right to receive in a structured, current and machine-readable format the personal information concerning you that the responsible party has made available to you . In addition, you have the right to transfer to another responsible party the personal information concerning you without interference from the responsible party to which the personal information was made available, provided that (1) the processing is based either on a consent in accordance with Art. 6 Par. 1 lett. a GDPR or Art. 9 Par. 2 lett. a GDPR or on a contract in accordance with Art. 6 Par. 1 lett. b GDPR and (2) the data are processed using automated procedures.
In the exercise of this right, you have a further right to have the personal information concerning you directly transferred from one responsible party to another responsible party to the extent technically possible. The freedoms and rights of other persons may not be affected in this process.
The right to data portability does not apply to the processing of personal information required to carry out a duty in the public interest or in the exercise of official authority granted to the responsible party;

7. Right of objection
For reasons arising from your particular situation, you have the right at any time to file an objection to the processing of the personal information concerning you that is based on Art. 6 Par. 1 lett. e or f GDPR; this also applies to any profiling based on these provisions.
The responsible party may no longer process the personal information concerning you unless it can provide evidence of compelling and legitimate reasons for the processing that outweigh your interests, rights and freedoms or the processing is in support of an assertion of, exercise of or defense against a legal claim.
Where the personal information concerning you is processed in connection with activities involving direct promotion, you have the right at any time to file an objection to the processing of the personal information concerning you for the purposes of such promotions; this also applies to profiling to the extent that it is associated with such direct promotion.
If you contest the processing for purposes of direct promotion, the personal information concerning you may no longer be processed for these purposes.
You have the option in connection with your use of services of the information society – notwithstanding Directive 2002/58/EC – to exercise your right of objection by means of automated procedures that utilize technical specifications.

8. Right to revoke your declaration of consent under data protection regulations
You have the right at any time to revoke your declaration of consent under data protection regulations. Revocation of consent does not affect the lawfulness of consent-based processing that took place prior to the revocation.

9. Automated decision making including profiling
You have the right not to be subjected to a decision based exclusively on automated decision making – including profiling – that has legal effect on you or significantly affects you in a similar way. This does not apply if the decision
(1) is required for the conclusion or fulfillment of a contract between you and the responsible party,
(2) is allowable according to legislation of the Union or its member states to which the responsible party is subject and this legislation contains appropriate measures to safeguard your rights and freedoms as well as your justified interests or
(3) takes place with your express consent.
These decisions may not be based, however, on specific categories of personal information in accordance with Art. 9 Par. 1 GDPR unless either Art. 9 Par. 2 letts. a or g GDPR apply and appropriate measures have been taken to protect your rights and freedoms as well as your justified interests.
With respect to the cases specified in (1) and (3), the responsible party must take appropriate measures to safeguard rights and freedoms as well as your justified interests, minimally including the right to a personal intervention on the part of the responsible party, a presentation of your own position and an appeal against the decision.

10. Right to appeal to a regulatory authority
Without prejudice to other administrative sanctions or judicial remedies, you are entitled to appeal to a regulatory authority, especially one in the member country of your residence, workplace or the site of the alleged violation if you believe that the processing of the personal information concerning you is contrary to the GDPR.
The regulatory authority hearing the appeal will inform the appellant regarding the status and outcome of the appeal, including the possibility of judicial appeal under Art. 78 GDPR.