Privacy policy according to Art 13, 14 GDPR

Status: August 2022

 

1. Name and address of the responsible person 

 

The responsible person according to Art. 4 No. 7 of the EU General Data Protection Regulation (GDPR) is:

RiffReporter – die Genossenschaft für freien Journalismus eG 

Buchtstraße 13 – 28195 Bremen – Germany

represented by Tanja Krämer

E-mail: info@riffreporter.de

Phone: 0049 421 – 2575 8354

www.riffreporter.de 

2. General information on data processing 

With this data protection declaration, we would like to inform you about how we process personal data relating to you as the person responsible within the scope of our dialogue research and what rights you have in this regard.

According to Article 4 No. 1 of the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person. As a matter of principle, personal data relating to you will only be processed by us insofar as you provide it to us by contacting us and communicating via the external service you have chosen for communication or its processing is necessary for our functioning content or due to legal obligations. By participating in our message dialogue service, you confirm in accordance with Art. 8 GDPR that you are at least 16 years old or have the consent of your legal guardian.

External messengers such as Threema, Telegram, Signal or email providers (hereinafter „external messenger providers“) count as an external service for communicating with you. 

 

Personal data concerning you that you voluntarily provide to us will be used with your consent for opinion research, news research or for statistical purposes. For the technical collection and display of this data, we work in particular with an external software ‚100eyes‘, from here on referred to as ’software‘, which is a product of tactile.news GmbH from Lüneburg (see under section 4.). 

 

3. External messenger providers

 

You can subscribe to our messaging service via the external messenger providers Threema, Telegram, Signal and via email. You can find more information about the providers under the respective name in this section. 

 

1. THREEMA

 

Threema is a mobile app provided by Threema GmbH (hereinafter ‚Threema‘). To sign up for our services and messages via Threema, you need to download the mobile app via the Apple AppStore or the Google Playstore and install it on your own smartphone.  

 

Registration for our services via Threema is always carried out in a so-called double opt-in process, i.e. when you register via our website, you will receive a message via Threema in which you will receive our privacy policy and will be asked to confirm your registration and consent to the privacy policy. This confirmation is necessary so that no one can register using someone else’s contact details. The consent message is logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time and your user name, etc. 

 

Threema can be used without providing any personal data. If you voluntarily provide your phone number or email address, you confirm that you are at least 16 years old or have the consent of your legal guardian in accordance with Art. 8 GDPR. Threema encrypts all messages, including tax messages, using a highly secure end-to-end encryption method.

 

By using the app, you consent to the collection, processing and use of data in accordance with Threema’s terms and conditions. We are not responsible for the messenger provider Threema. For more information on data protection, please refer to Threema’s privacy policy.

 

2. SIGNAL

 

Signal is a mobile app provided by Privacy Signal Messenger, LLC (hereinafter „Signal“). To register for our services and messages via Signal, you must download the mobile app via the Apple AppStore or the Google Playstore and install it on your own smartphone.  Registration for our services via Signal is always carried out in a so-called double opt-in process. This means that when you register via our website, you will receive our privacy policy and will be asked to agree to it. You will then be asked to send us a first message via Signal. Only then can we send you messages. Your welcome message is logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the user name and call number. 

 

Signal requires you to enter your telephone number in order to use the service. If you voluntarily provide further personal data, you confirm that you are at least 16 years old or have the consent of your legal guardian in accordance with Art. 8 GDPR. Signal encrypts all messages, including tax messages, using a highly secure end-to-end encryption method.

 

By using the app, you consent to the collection, processing and use of data in accordance with Signal’s policies. We are not responsible for the messenger provider Signal. For more information on data protection, please refer to Signal’s privacy policy.

 

3. TELEGRAM 

 

Telegram is a cloud-based mobile app as well as desktop messaging app by Telegram FZ-LLC (hereinafter ‚Telegram‘). To sign up for our services and messages via Telegram, you will need to download the mobile app via the Apple AppStore or Google Playstore and install it on your own smartphone, or launch the app via a browser or Telegram’s corresponding software. After installation, the app can, if you allow it, access the contact data from your phone book in order to be able to display other Telegram users in the app through a comparison. Telegram may require you to provide personal data (email address, mobile number, name, etc.). Telegram only encrypts „secret chats“ with a highly secure end-to-end encryption method.

 

Registration for our services via Telegram is always carried out in a so-called double opt-in procedure, i.e. when you register via our website, you receive a message in which you receive our privacy policy and are asked to confirm your registration and consent to the privacy policy. This confirmation is necessary so that no one can register using someone else’s contact details. The consent message via Telegram is logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the login and confirmation time and your username etc.

 

By using the app, you agree to the collection, processing and use of data in accordance with Telegram’s terms and conditions. We are not responsible for the messenger provider Telegram. For more information on data protection, please refer to Telegram’s privacy policy

 

4. E-MAIL

 

We send our news and other electronic notifications via e-mail only with your consent. To register, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address, or other personal details in the course. You also have the option of responding to the messages you receive. 

 

Double opt-in procedure: 

 

Registration for our services via e-mail is always carried out in a so-called double-opt-in procedure, i.e. when you register you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register with other people’s e-mail addresses. The registrations are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes saving the time of registration and confirmation as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

 

Deletion and restriction of processing: 

 

We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove consent was previously given. The processing of this data will be limited to the purpose of a possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blacklist for this purpose alone.

 

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper course. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

 

Notes on legal basis: 

 

The messages are sent on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. Insofar as we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to prove that it was carried out in accordance with the law.

 

 

 

4. External service provider 

 

For the technical implementation of our news service and the collection and display of this data, we work in particular with an external software 100eyes, which is a product of tactile.news GmbH from Lüneburg. 100eyes is a software that enables editorial offices or companies to send messages to many people via the chosen medium („external (messenger) provider“) with one click. You are a user or reader being contacted. Your responses via your chosen messenger provider will be processed by 100eyes so that we can use your response for research purposes. You can decide yourself at any time which personal data you wish to communicate and revoke your consent at any time, as well as have the personal data deleted (see section 8.).

 

In addition, tactile.news GmbH uses various external services to ensure the functioning of the 100eyes website, where you can register for our community:

 

External service

Processing location

Type of service

Type of data

Digital Ocean, LLC

Germany

Cloud infrastructure provider

Data transferred by your customers, this includes emails, documents and other data.

Cloudflare, Inc.

USA

Internet security services (DNS hosting, content delivery network, DDoS protection and application firewall)

Device identification data and trace data (e.g. IP addresses, MAC addresses, web logs, browser agents).

 

Any personal data provided by end users of the service

Sentry 

(Functional Software, Inc.)

USA 

Error monitoring of the software

Geräte-, Konnektivitäts- und Konfigurationsdaten,

Device, connectivity and configuration data, Data about devices and the network you use to connect to our services (operating system and other software installed on your device, including product keys, IP address, browser type, operating system and referring URLs).

Uberspace

(Jonas Pasche)

Germany

Webhosting

Device identification data and trace data (e.g. IP addresses, MAC addresses, web logs, browser agents)

 

5. Use of cookies

Our website uses cookies. Cookies are text files that are stored by the website on your computer system. When you access a website, a cookie may be stored on the operating system. This cookie contains a characteristic string of characters that enables unique identification when you return to the website.
We use cookies to make our services more user-friendly. The purpose of using technically necessary cookies is to simplify the use of websites. Certain functions of our software cannot be offered without the use of cookies. For these, it is necessary that the software is recognised even after a page change. The data collected by these technically necessary cookies are not used to create user profiles. The following cookies are used: 

Name of the cookie

Purpose

Storage duration

_app_session

Technically necessary to ensure the functionality of the application.

Until the browser is closed

remember_token

Storage of login information for 100eyes

24 hours

__cfduid

Necessary to support security features (helps detect malicious users and thus minimises blocking of legitimate users)

30 days

 

The legal basis for the processing of personal data using cookies is Art. 6 (1) lit. f GDPR. The aforementioned purposes are also our legitimate interest in processing personal data according to Art. 6 (1) lit. f GDPR

Cookies are stored on your terminal device and transmitted to us by it. Therefore, you also have full control over the use of cookies. Cookies that have already been stored can be deleted at any time. 

6. Legal basis

We process your data in particular on the following legal bases:

  • Insofar as you give your consent for processing operations of the personal data concerning you, Art. 6 para. 1 lit. a GDPR serves as the legal basis.
  • When processing the personal data concerning you and the personal data required for the performance of a contract to which you are a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
  • Insofar as the processing of personal data relating to you is necessary for the fulfilment of a legal obligation to which we are subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
  • In the event that your vital interests or those of another natural person make it necessary to process personal data relating to you, Art. 6 (1) lit. d GDPR serves as the legal basis.
  • If the processing is necessary to protect a legitimate interest of us or a third party and your interests, fundamental rights and freedoms do not outweigh the first-mentioned interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

Personal data relating to you will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which we are subject as the responsible party. Data will be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or fulfilment of a contract.

In principle, you are neither legally nor contractually obliged to provide us with your data. However, it may not be possible for us to provide certain services – such as the use of communication via the external messenger provider – without you providing us with your data. We do not carry out automated decision-making or profiling within the meaning of Article 22 of the Data Protection Regulation, which has legal effect on you or which may significantly affect you in a similar way.  

7. Recipients of the data / processing in third countries 

We partly cooperate with common external service providers (e.g. IT service providers) and external services for communication, if it is necessary for data transfer and communication related to our services. Otherwise, only persons within our company have access to personal data that they need for their internal tasks. Your personal data will only be processed in countries outside the European Economic Area (so-called third countries) if this is necessary for the provision of an agreed service. 

Some third countries are certified by the European Commission through so-called adequacy decisions to have a level of data protection comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found HERE). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognised codes of conduct. 

 

 

 

 

8. Rights of the data subject

 

 

 

If personal data relating to you is processed, you are the data subject within the meaning of the GDPR, i.e. the person who can be identified from the data. You are entitled to the following rights vis-à-vis us: 

1. RIGHT OF ACCESS (ART. 15 GDPR).

You may request confirmation from us as to whether personal data relating to you is being processed by us. If such processing is taking place, you may request information from us about the following:

  • the purposes for which the personal data are processed;
  • the categories of personal data which are processed;
  • the recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed;
  • the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage period;
  • the existence of a right to rectify or erase the personal data concerning you, a right to restrict processing by the controller or a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • any available information on the origin of the data if the personal data is not collected from the data subject;
  • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. 
  • You also have the right to request information on whether the personal data concerning you are transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. RIGHT OF RECTIFICATION (ART. 16 GDPR) 

You have the right to rectification and/or completion if the personal data processed about you is inaccurate or incomplete. We must carry out the rectification without delay.

3. RIGHT TO ERASURE (ART. 17 GDPR)

Obligation to erase: You may request us to erase the personal data concerning you without delay. We are obliged to erase this data immediately if one of the following reasons applies: 

  • Personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You revoke your consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal basis for the processing.
  • You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing or you object to the processing pursuant to Article 21(2) of the GDPR.
  • The personal data concerning you have been processed unlawfully.
  • The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning you has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
  • If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.

Exceptions: The right to erasure does not exist insofar as the processing is necessary:

  • for the exercise of the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to under erasure obligation is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
  • for the assertion, exercise or defence of legal claims.

4. RIGHT TO RESTRICT PROCESSING (ART. 18 GDPR).

You may request the restriction of the processing of personal data concerning you under the following conditions:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
  • the controller no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise or defence of legal claims, or if you have objected to the processing pursuant to Article 21(1) GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.
  • If the processing of personal data relating to you has been restricted, such data may – apart from being stored – only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing is lifted after the above conditions, you will be informed by the controller before the restriction is lifted.  

5. RIGHT TO DATA PORTABILITY (ART. 20 DS-GVO)

You have the right to obtain personal data relating to you which you have provided to us on the basis of consent in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.

6. RIGHT OF OBJECTION (ART. 21 DS-GVO)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) DS-GVO; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, in particular where the processing is for the establishment, exercise or defence of legal claims.

If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

7. RIGHT TO REVOKE CONSENT UNDER DATA PROTECTION LAW (ART. 7(3) DS-GVO)

You have the right to revoke your declaration of consent under data protection law at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

8. RIGHT OF APPEAL TO A SUPERVISORY AUTHORITY (ART. 77 DS-GVO)

You have the right to complain to a supervisory authority. For this purpose, you can contact the supervisory authority of your place of residence or workplace or the supervisory authority responsible for us.