Company: Johner Institut GmbH
Street: Villa Rheinburg, Reichenaustr. 1
Postcode/Town/Country: 78467 Constance, Germany
Commercial Register/No.: 710768 - District Court of Freiburg
Managing Director: Christian Johner
Telephone number: 07531-9450020
Data Protection Manager
Name: Philipp Grömminger
As of: 01/10/2019
Basic information on data processing and legal basis
- This data protection statement explains to you the type, scope and purpose for the processing of personal data within our online offering and the associated websites, functions and content (hereinafter referred to together as “online offering” or “website”). The data protection statement applies independently of the domain, systems, platforms and devices used (such as desktop or mobile) on which the online offering is presented.
- The terms used, such as “personal data” or its “processing”, we refer to the definitions in article 4 of the General Data Protection Regulation (GDPR).
- The personal data of the user processed within the framework of this online offering includes file data (such as name and address of customers, contract data (such as services taken advantage of, name of processors, payment information), use data (such as the websites of our online offering visited, interest in our products) and content data (such as entries into the contact form).
- The term “user” includes all categories of the persons affected by the data processing. This includes our business partners, customers, interested parties and other visitors to our online offering. The terms used such as “user” are understood to be gender-neutral.
- We process the personal data of the user only adhering to the applicable data protection regulations. This means that the data of the users will only be processed if there is legal consent. This means in particular, when the data processing is required to perform our contractual services (such as processing of orders) and online services or is legally required, if there is consent from the user, and based on our legitimate interests (such as in the interest of analysis, optimization and economic operation and security of our online offering in terms of article 6 (1) GDPR, in particular in measuring scope, creation of profiles for advertising and marketing purposes and for the collection of access data and use of the services of third party providers.
- We note, that the legal basis for the consent in article 6 (1) (a) and article 7 GDPR, the legal basis of the processing for fulfilment of our services and the implementation of contractual measures article is 6 (1) (b) GDPR, the legal basis f or the processing for fulfilment of our legal obligations article 6 (1) (c) GDRP and the legal basis for the processing for preserving our legitimate interests is article 6 (1) (f) GDRP.
- We take organizational, contractual and technical security measures pursuant to the state of the art of technology to ensure that the provisions of the data protection laws are upheld and to protect the data processed by us from accidental or intended manipulations, loss, destruction or from the access by unauthorized persons.
- The security measures include encrypted transfer of data between your browser and our server.
Forwarding of data to third parties and third-party suppliers
- Forwarding of data to third parties only occurs within the framework of the legal regulations. We only provide the user data to third parties if required based on article 6 (1) (b) GDPR for contractual purposes or based on legitimate interests pursuant to article 6 (1) (f) GDPR for economical and effective operation of our business.
- If we use subcontractors to provide our services, we take the appropriate legal precautions and relevant technical and organizational measures to ensure the protection of the personal data pursuant to the applicable legal regulations.
- If within the framework of this data protection statement content, tools or other resources from other suppliers (hereinafter called “third party suppliers”) are used and their headquarters is located in another country, we assume that a data transfer occurs to the country in which the third-party supplier is headquartered. Third party countries are countries in which the GDPR is not a directly applicable law, meaning fundamentally countries outside of the EU or the European Economic Area. The transfer of data to third party states is either done when there is a suitable data protection level, consent by the user or there is another type of legal permission.
Provision of contractual services
- We process file data (such as names and addresses and contact data of users), contractual data (such as services ordered, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to article 6 (1) (b) GDPR.
- As an option, users may create a user account to be able to review their membership type and number of their licenses. The required obligatory information of the users is provided within the framework of registration. The user accounts are not public and cannot be indexed by search engines. When users cancel their user accounts, the data regarding the user account is deleted, except if storage is required for commercial or tax reasons pursuant to article 6 (1) (c) GDPR. It is up to the user to secure their data after successful cancellation before the end of the contract. We are authorized to permanently delete all user data saved during the term of the contract.
- The IP address and the time of the relevant user action will be saved within the framework of the registration and subsequent logins and availing of our online services. Saving is done based on our legitimate interests as well as those of the user regarding protection from abuse and other unauthorized use. Forwarding of these data to third parties is generally not done, except if required to fulfil our claims or there is a legal obligation to do so pursuant to article 6 (1) (c) GDPR.
- We process use data (such as the websites of our online offering visited, interest in our products) and content data (such as entries in the contact form or user profile) for advertising purposes in a user profile to provide, for example, product information based on their previous ordered services.
- When contacting us (via contact form or e-mail), the information of the user is processed to process the contact request and its completion pursuant to article 6 (1) (b) GDRP.
- The user information may be stored in our Customer Service Relationship Management System (“CRM System”) or comparable request organization.
- We use the “Pipedrive” CRM system from the provider Pipedrive at 460 Park Ave South New York, NY 10016, USA, based on our legitimate interests (efficient and rapid processing of user inquiries). For this we have concluded a contract with Help Scout with so-called standard clauses, in which Help Scout is obligated to process the user data only pursuant to our instructions and maintaining the EU data protection level.
- We use Fastbill, from the provider FastBill GmbH Wildunger Str. 6 60487 Frankfurt am Main for billing based on our legitimate interests (efficient and rapid processing of user inquiries). For this we have concluded a contract with Help Scout with so-called standard clauses, in which Help Scout is obligated to process the user data only pursuant to our instructions and maintaining the EU data protection level.
Comments and Contributions
- If users leave comments or other contributions, their IP addresses are saved for 7 days based on our legitimate interest in terms of article 6 (1) (f) GDPR.
- This is done for our security, if anyone has left illegal content in comments and contributions (insults, prohibited political propaganda, etc.). In this case, we can be held accountable for the comment or contribution and are therefore interested in the identity of the writer.
Collection of access data and logfiles
- Based on our legitimate interests in terms of article 6 (1) (f) GDPR, we collect data about ever access to the server on which this service is located (so-called server logfiles). Access data include the name of the website queried, file, date and time of the query, transferred data quantity, report of successful query, browser type with version, operating system of the user, referrer URL (the page previously visited), IP address and requesting provider.
- Logfile information are saved for a maximum of 7 days for security reasons (such as clarification of abuse or fraudulent action) and then deleted. Data which are required to be stored for longer for evidentiary purposes are exempted from deletion until the case is ultimately clarified.
Cookies & Determination of Scope
- Cookies are information transferred from our web server or web servers of third parties to the web browser of the users and saved there for later queries. Cookies can be small files or other types of stored information.
- We use “session cookies”, which are only deposited for the duration of the current visit to our online presence (such as to save your login status or to use the shopping cart function and thus making possible the use of our online offering). In a session cookie, a randomly created unique identification number is deposited, a so-called session ID. In addition, a cookie contains the information about its origin and how long it should be stored. These cookies cannot save any other data. Session cookies are deleted when you end your visit to our online offering and log out, for example.
- If the user does not want cookies to be saved on their computer, they are requested to deactivate the relevant option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies may lead to function limitations for this online offering.
- You can object to the user of cookies that serve for determination of scope and advertising purposes via the deactivation site of the network advertising initiative (http://optout.networkadvertising.org/) and on the American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
- Google is certified under the Privacy Shield Agreement and through this offers a guarantee that European Data Protection laws will be upheld (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf to analyse the use of our online offering, to create reports on the activities within this online offering and to inform us of the use of this online offering and the services associated with internet use. Pseudonymized use profiles of the users can be created from the processed data.
- We use Google Analytics in order to only show our advertisements within the advertising services of Google and its partners only to those users who have shown interest in our online offering or who have certain characteristics (such as interest in certain subjects or products determined by the websites visited), which we send to Google (so-called "remarketing” or “Google Analytics Audiences”). Using the remarketing audience, we want to ensure that our advertisements are appropriate for the interests of the user and are not annoying.
- We use Google Analytics only with activated IP anonymization. This means that your IP address is truncated by Goggle within the member states of the European Union or in other contractual states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there.
- The IP address collected from your browser within the framework of Google Analytics will not be consolidated with other Google data. The users can prevent the storage of cookies using a relevant setting of their browser software. The users can also prevent the collection of the data related to their use of the online offering created by the cookie being collected by Google, as well as the processing of this data by Google by downloading and installing the browser plugin available at the link below: http://tools.google.com/dlpage/gaoptout?hl=de.
- Additional information on the use of data by Google, settings and objection options can be found on the Google websites: www.google.com/intl/de/policies/privacy/partners (“Data use by Google on your use of websites or apps of our partners“), www.google.com/policies/technologies/ads(“Data use for advertising purposes”), www.google.de/settings/ads (“Managing information that Google uses to show you advertisements”).
- Based on our legitimate interests (such as the interest in the analysis, optimization and economical operation of our online offering in term of article 6 (1) (f) GDPR), we use the marketing and remarketing services (in short “Google Marketing Services) of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
- Google is certified under the Privacy Shield Agreement and through this offers a guarantee that European Data Protection laws will be upheld (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- The Google Marketing Services allows us to display advertisements in a targeted manner for and on our website, to present users with only the advertisements that may potentially interest them. If a user is shown advertisements for products that they have shown interest in on other websites, we call this “remarketing”. For this purpose, when querying our and other websites on which Google Marketing Services is active, a code from Google is immediately assigned by Google and so-called (re)marketing tags (invisible graphics or code, also called “web beacons”) are integrated into the website. Using these, an individual cookie, a small file, is stored on the user's computer (technologies comparable to cookies may also be used). The cookies can be deposited by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file notes which websites the user visits, the content in which they are interested and which offers they clicked on as well as technical information about the browser and operating system, referring websites, visit time and other information on the use of the online offering. The IP address of the user is also collected, whereby we notify within the framework of Google Analytics that the IP address within member states of the European Union or in other contractual states of the Treaty on the European Economic Area will be truncated, and only in cases of exception sent as a whole to a Google server in the USA and truncated there. The IP address will not be linked to the data of the user within other offers from Google. The present information can also be linked to such information from other sources on the part of Google. If the user then visits other websites, advertising fit for their interests can be displayed.
- The user data are processed under a pseudonym within the framework of the Google Marketing Services. This means that Google does saves and process the name or e-mail address of the user but processes the relevant cookie-related data using a pseudonymized user profile. This means that from the viewpoint of Google, the advertisements are not administered for concretely identified persons, but only for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly authorized Google to process this data without pseudonymization. The information collected by Google Marketing Services is sent to Google and stored on Google's servers in the USA.
- The online advertising program “Google AdWords” is one of the Google Marketing Services we use. In the case of Google AdWords, every AdWords customer receives a different “conversion cookie”. Cookies can thus not be traced via the websites of AdWords customers. The information collected using cookies serve for the creation of conversion statistics for AdWords customers who have decided to use conversion tracking. The AdWords customers can see the total number of users that have clicked on their advertisement and who were forwarded to a page equipped with a conversion tracking tag. They do not receive any information that can be used to identify a user personally.
- We can also use the “Google Optimizer” service. Google Optimizer allows us to see how various changes affect a website within the framework of so-called “A/B testing” (such as changes to entry fields, design, etc.). Cookies are deposited on the users’ devices for test purposes. Only the pseudonymized user data is processed.
- In addition, we can us “Google Tag Manager” to include the Google analysis and marketing services in our website and manage them.
- You will find additional information on the use of data for marketing purposes by Google at the overview page: www.google.com/policies/technologies/ads, Google's data protection statement can be found at www.google.com/policies/privacy.
- If you wish to object to this interest-based advertising by Google Marketing Services, you can use the Google settings and opt-out function: http://www.google.com/ads/preferences.
Jetpack (WordPress Stats)
- Based on our legitimate interests, (meaning the interest in the analysis, optimization and economical operation of our online offering in terms of article 6 (1) (f) GDPR), we use the plugin Jetpack (here the sub-function “Wordpress Stats”), which includes a tool for statistical analysis of the visitor accesses from Automattic, Inc. 132 Hawthorne Street San Francisco, CA 94107, USA. Jetpack utilizes so-called "Cookies", text files which are saved on your computer and which enable an analysis of your use of the website.
- Automattic is certified under the Privacy Shield Agreement and through this offers a guarantee that European Data Protection laws will be upheld (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).
- The information created by the cookie on your use of this online offering is saved on a server in the USA. This enables creation of user profiles of the users from the processed data, which is only used for analysis and not for advertising purposes. You can find additional information in the data protection statement of Automattic: https://automattic.com/privacy/ and information on Jetpack cookies: https://jetpack.com/support/cookies/.
- Based on our legitimate interests, (meaning the interest in the analysis, optimization and economical operation of our online offering in terms of article 6 (1) (f) GDPR), we use StatCounter, a web analysis services which includes a tool for statistical analysis of the visitor accesses and is operated by StatCounter, Guinness Enterprise Centre, Taylor's Lane Dublin 8, Ireland. StatCounter utilizes so-called "Cookies", text files which are saved on your computer and which enable an analysis of your use of the website.
- The information created by the cookie on your use of this online offering is saved on a StatCounter operated server. This enables creation of user profiles of the users from the processed data, which is only used for analysis and not for advertising purposes. You can find additional information in the KnowledgeBase of StatCounter https://statcounter.com/support/knowledge-base/314/
- The following information is provided to inform you of the content of our newsletter and subscription, dispatch and statistical analysis procedures as well as your rights to opt-out. If you subscribe to our newsletter, you are consenting to the receipt and the procedure described.
- Content of the newsletter: We send the newsletter, e-mails and other electronic notifications with advertising information (hereinafter “newsletter”) only with the consent of the recipient or with a legal permission. To the extent that within the registration for the newsletter this content is concretely defined, they represent the consent of the user. In addition, our newsletters contain information on our products, offers, specials and our company.
- Double opt-in and protocolling: The subscription to our newsletter is done in a so-called double opt-in procedure. This means that you will receive an e-mail after subscription in which you are asked for a confirmation of your subscription. This confirmation is necessary so that no one can register with someone else's e-mail address. The subscriptions to the newsletter are recorded to be able to trace the subscription process according to the legal requirements. This includes storing the registration and confirmation time as well as the IP address. The changes to the data you entered saved by the dispatch service provider are also recorded.
- Dispatch services provider: Our newsletter is sent using Inxmail GmbH, Wentzingerstr. 17 D-79106 Freiburg/GERMANY, hereinafter referred to as the “dispatch service provider”. You can find the data protection provisions of the dispatch services provider here: www.inxmail.de/datenschutz.
- In addition, the dispatch service provider can use this data in pseudonymized form for its own information, meaning without assigning it to a user, for optimization or improvement of its own services, such as for technical optimization of the dispatch and display of the newsletter or for statistical purposes to determine which countries the recipients come from. The dispatch service provider does not use the data of our newsletter recipients to subscribe them themselves or forward it to third parties.
- Registration data: Your e-mail address is sufficient to subscribe to the newsletter. Optionally we request that you enter your name for the purpose of a personal salutation in the newsletters.
- Statistical collection and analyses: the newsletter contains a so-called “web beacon”, meaning a pixel sized file that is called up by our server when you open the newsletter. During this query, initially technical information is collected about your browser and your system, as well as your IP address and time of query. This information is used for technical improvement of the service using the technical data or the target groups and their reading behaviour using the query location (using the IP address) or the access times. The statistical collection also involves the determination of whether the newsletter is opened, when it was opened and which links were clicked. This information can be assigned to the individual newsletter recipients for technical reasons. It is neither our intention or that of our dispatch service provider to observe any individual user. The analyses serve much more for recognizing the reading habits of our users and to adapt our content to them or to provide different content according to the interests of our users.
- The use of the dispatch service provider, implementation of the statistical collection and analyses as well as the protocolling of the registration procedure are done based on our legitimate interest pursuant to art. 6 (1) (f) GDPR. Our interest is focused on the use of a user-friendly and secure newsletter system which serves our commercial interests as well as meets the expectations of the users.
- Cancellation/Revocation - You can unsubscribe from our newsletter at any time, meaning you may revoke your consent. At the same time, your consents to the dispatch by the dispatch service provider and the statistical analyses are also deleted. A separate revocation of consent to dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. There is an unsubscribe link to cancel the newsletter at the end of each newsletter. If users have only registered for the newsletter and have cancelled this subscription, their personal data will be deleted.
Inclusion of services and content of third parties
- Within our online offering, based on our legitimate interests (meaning interests in the analysis, optimization and economical operation of our online offering in terms of art. 6 (1) (f) GDPR) we use content or services of third parties to include their content and services such as videos or texts (hereinafter called “content”). This always assumes that the third-party providers of this content are aware of the IP address of the users, because without this IP address they could not send the content to the browsers. The IP address is thus required for the display of this content. We try only to use such content, the providers of which use the IP address only for the provision of the content. Third party providers can also use so-called pixel tags (invisible graphics, also called web beacons) for statistical or marketing purposes. Through “pixel tags", information such as the visitor traffic on the pages of this website can be analysed. The pseudonymized information can also be saved in the form of cookies on the user device and contain information including technical information on the browser and operating system, referring websites, visiting time and other information on use of our online offering, as well as be associated with such information from other sources.
- The following example provides an overview of third party providers as well as their content, in addition to links to their data protection statements, which contain additional information on the processing of data and, as mentioned here, your options for objecting (so-called opt-out):
- If our customers use the payment services of third parties (such as PayPal), the terms and conditions and data protection statement of the relevant third-party provider apply, which can be found on the relevant websites and transaction applications.
- Maps of the “Google Maps” service of the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement: www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Videos of the “YouTube” platform of the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement: www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
Rights of the User
- Users have the right to receive their information upon request that are saved about them.
- In addition, users have the right to report incorrect data, limitation of processing and deletion of their personal data, if applicable, to exercise their rights and in the case of assumption of illegal data processing, to lodge a complaint to the responsible oversight authorities.
- Users may also revoke consent with effect in the future.
- The data we store are deleted as soon as they are no longer needed for their intended purpose and if the deletion does not violate any legal storage requirements. If the data of the user are not deleted because they are required for a legally required purpose, the processing of this data is limited. This means that the data are locked and not processed for any other purposes. This applies, for example to user data that must be stored for commercial or taxation purposes.
- According to the legal provisions, the storage is set for 6 years pursuant to article 257 (1) of the Commercial Code (commercial registers, inventories, opening balances, annual reports, business letters, accounting records, etc.) as well as 10 years pursuant to article 147 (1) of the Tax Code (accounts, diagrams, financial reports, accounting records, business letters, documents relevant for taxation, etc.).
Right to Objection
Users can withdraw their consent to the future processing of their personal data at any time according to the legal provisions. The objection can be made in particular against the processing for the purpose of direct advertising.
Changes to the Data Protection Statement
- We reserve the right to change the data protection statement due to changed legal bases or if there are changes to the service and data processing. This applies only with regard to statements on data processing. If user consent is required or parts of the data protection statement contain provisions on the contractual relationship with the users, the changes are only made with user consent.
- The users are asked to regularly check the content of the data protection statement.