3rd European Micro Gas Turbine Forum Conference
21st and 22nd November 2019
Gräfin-von-Linden-Hörsaal, Deutsches Zentrum für Luft- und Raumfahrt, Stuttgart
The following information will give you an overview of the processing of your personal data by us and your rights under data protection law.
1. Who is responsible for data processing and who can I contact?
The controller in the sense of the General Data Protection Regulation and other national data protection laws of the member states and other data protection regulations is:
Deutsches Zentrum für Luft- und Raumfahrt e. V. (German Aerospace Center – DLR)
Telephone: +49 2203 601-0
Name and address of the data protection officer
The controller’s data protection officer is
Uwe Gorschütz, Deutsches Zentrum für Luft- und Raumfahrt e. V., Linder Höhe, 51147 Cologne
3. Which data do we use?
You can generally visit our website without revealing your identity to us. When you send us an email or contact form, your message and email address will only be used for correspondence with you. In individual cases, such as when using our participant management system, it is necessary to process your personal data. This includes participants’ contact data, and, where necessary, other data which is necessary for the carrying out the event, such as special customer's requests or data regarding consultants’ CVs.
4. For which purposes and on which legal basis do we use your data?
We process your personal data in line with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) as well as the German Teleservices Act (TMG)
a) For fulfilling contractual obligations (Article 6 Para. 1b GDPR)
Personal data is processed for the provision of business in the context of carrying out events for our customers or for our own events, as well as for carrying out precontractual measures, which take place at your request.
b) As part of balancing interests (Article 6 Para. 1f GDPR)
If necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. Examples:
• asserting legal claims and defence in legal disputes
• guaranteeing IT security
c) Based on your consent (Article 6 Para. 1f GDPR)
If you have given us your consent to process personal data for specific purposes (e.g. newsletter subscription), this processing is legal on the basis of your consent. Consent that has been given can be revoked at any time. Please note that the revocation will only take effect in the future. Processing that took place prior to revocation is not affected by this.
5. Who receives my data?
Within the DLR, departments that require access to your data to fulfil our contractual and legal obligations shall receive it. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain confidentiality and comply with our data protection instructions. Where necessary, we pass on data that we receive as part of our participant management system to the event organiser.
Data for processing payment is not stored by us. Payments are processed directly by our service provider heidelpay GmbH, Vangerowstraße 18, D–69115 Heidelberg.
6. Will data be transferred to a third country?
Data is not transferred to countries outside the EU or the EEA (so-called “third countries”). In individual cases, for example, if an event takes place in a third country, it may be necessary to transmit the data required to conduct the event.
7. How long is my data stored?
We process and store your personal data as long as is necessary for fulfilling our contractual and legal obligations. If the data is no longer required for fulfilling contractual or legal obligations, they are regularly deleted unless their - limited - further processing is required for fulfilling commercial and tax retention periods, such as the Commercial Code and the Tax Code. The periods for storage and documentation specified there are six to ten years.
1. Personal data
Personal data is all information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”. Identifiable means a natural person who can be identified directly or indirectly in particular by assignment to an identifier, such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
2. Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing is any operation carried out with or without the help of automated procedures or any such set of operations relating to personal data, such as the collection, recording, organisation, classification, storage, adaptation or alteration, selection, retrieval, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.
4. Restriction on processing
Restriction on processing is the marking of stored personal data with the aim of restricting its future processing.
Profiling is any kind of automated processing of personal data consisting of using personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.
Pseudonymisation is processing personal data in a way in which the personal data can no longer be assigned to a specific data subject without additional information provided that this additional information is kept separately and is subject to technical and organisational measures that ensure that the personal data is not assigned to an identified or identifiable natural person.
7. Controller or those responsible for processing
The controller or those responsible for processing is/are the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. If the purposes and means of this processing are prescribed by EU law or by the law of the member states, the controller or the specific criteria for his appointment may be stipulated in accordance with EU law or the law of the member states.
8. External processor
An external processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.
The recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not. However, authorities that may receive personal data under EU law or the law of the member states as part of a particular investigation mandate shall not be regarded as recipients.
10. Third party
A third party is a natural or legal person, authority, institution or other body aside from the data subject, the controller, external processor and persons authorised to process the personal data under the direct responsibility of the controller or external processor.
Consent is any informed and unequivocal expression of will voluntarily given by the data subject for a particular case in the form of a declaration or other clear affirmative act by which the data subject indicates his or her consent to the processing of personal data concerning him or her.
9. General information about data processing
1. Scope of processing personal data
We only process our users’ personal data if this is necessary to provide a functioning website as well as our contents and services. Processing our users’ personal data is regularly only done with the users’ consent. An exception is in cases where prior consent cannot be obtained for practical reasons and where data processing is permitted by law.
2. Legal basis for processing personal data
If we obtain the consent of the data subject for processing personal data, Article 6 Para. 1 Lit. a EU General Data Protection Regulations (GDPR) serves as the legal basis.
When processing personal data required for the performance of a contract to which the data subject is a party, Article 6 Para. 1 Lit. b serves as the legal basis. This also applies to processing required for executing precontractual measures.
If processing personal data is required to fulfil a legal obligation to which our research centre is subject, Article 6 Para. 1 Lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person make processing personal data necessary, Article 6 Para. 1 Lit d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our research centre or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Article 6 Para. 1 Lit. f GDPR serves as the legal basis for processing.
3. Date deletion and storage duration
The personal data of the data subject is deleted or blocked as soon as the purpose for storage ceases to exist. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
8. Which data protection rights do I have?
You have the right to information according to Article 15 GDPR, the right to correction according to Article 16 GDPR, the right to deletion according to Article 17 GDPR, the right to restrict processing according to Article 18 GDPR, the right to objection from Article 21 GDPR and the right to data transferability from Article 20 GDPR. Furthermore, you have the right to complain to a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
You will find a list of supervisory authorities and their contact details using the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
You can revoke your consent to the processing of personal data at any time. Please note that the revocation will only take effect in the future. Processing that took place prior to revocation is not affected by this.
To exercise your rights, please use the aforementioned contact details for our data protection officer.
You will find more details about your rights as the so-called “data subject” in point 15.
9. Is there an obligation to provide data?
When registering for events or ordering services (such as newsletters), you must provide the personal data required to carry out an event or to provide a service and to fulfil the associated contractual obligations or which we are legally obliged to collect. These data fields are marked as mandatory fields when collecting data. Without this data we usually have to refuse the conclusion of the contract or the execution of the order or an existing contract can no longer be carried out and may have to end.
10. Is there automated decision-making, including profiling?
We generally do not use fully automated decision-making, including profiling, in accordance with Article 22 GDPR.
You will be informed in the event that we used profiling for targeted marketing.
11. Information regarding your right to objection according to Article 21 GDPR
a) Right to objection on a case-by-case basis
You have the right to object to the processing of your personal data for reasons arising from your particular situation. The prerequisite for this is that data processing is in the public interest or based on balancing interests. This also applies to profiling. In the event of an objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for processing this data that outweigh your interests, rights and freedoms. Or your personal data is used to assert, exercise or defend legal claims.
b) Objection to the processing of your data for direct marketing purposes
We will use your personal data for our direct marketing in individual cases. You have the right to object at any time; this also applies to profiling in connection with direct marketing. In the event of an objection, we will no longer process your personal data for these purposes. The objection can be made informally and should be addressed to the aforementioned data protection officer if possible.
12. Which data is processed when using the website?
a) Usage-related information
We receive usage data from visits to our websites. This includes information, such as screen resolution, browser version, Internet access, operating system, language, plug-ins used, country/region of origin and search engines. The stored data is only analysed for statistical purposes. It is not passed on to third parties nor is a user-related analysis carried out.
So-called “session cookies” are used when visiting individual sites in order to facilitate navigation. These cookies expire at the end of the session and do not contain any personal data, meaning the contents of the cookies are not analysed on a user-related basis. You can set your browser to only allow cookies in individual cases or not at all.
Cookies that are required to carry out the electronic communication process or to provide
certain functions (e.g. registration, login, processing payments) are stored on the basis of Article 6 Para. 1 Lit. f GDPR. In this case, cookies are stored for the purpose providing our service in a technically error-free and optimised way. The functionality of this website may be limited if cookies are deactivated.
13. How safe is my data?
We use a secure online transmission procedure, so-called “Secure Socket Layer” (SSL) transmission to protect the personal data of our customers and potential customers. All information transmitted using this secure method is encrypted before it is sent. Your personal data is processed exclusively at data centres and on computers that are protected by security technologies and that meet industry standards (e.g. firewalls, password protection, access controls, etc.).
10. Rights of the data subject
If users’ personal data is processed, they are the data subject within the meaning of the GDPR and they are entitled to the following rights from the controller:
1. Right to information
You can ask the controller to confirm whether personal data concerning you will be processed by us.
If processing has taken place, you can request the following information from the controller:
(1) the purposes for which personal data is being processed;
(2) the category of personal data being processed;
(3) the recipient or categories of recipients to whom the personal data concerning you has been or is still being disclosed;
(4) the planned storage duration the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to have the personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to this kind of processing;
(6) the existence of a right to complain to a supervisory authority;
(7) all available information regarding the origin of the data if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases – significant information on the logic involved and the scope and intended effects of this kind of processing for the data subject;
(9) you also have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate guarantees according to Article. 46 GDPR in connection with the transmission.
The controller shall provide a copy of the personal data that is the subject of the processing. The controller may charge an appropriate fee based on administrative costs for any further copies you request. If you submit the application electronically, the information will be provided in a common electronic format, unless otherwise specified. The right to obtain a copy in accordance with Paragraph 3 shall not affect the rights and freedoms of other persons.
2. Right to correction
As the data subject, you have the right to request that the controller correct any inaccurate personal data concerning you without delay. Taking into account the purposes of the processing, you also have the right to ask for the completion of incomplete personal data – also by means of a supplementary declaration.
3. Right to restrict processing
You may request that the processing of personal data concerning you be restricted under the following conditions:
(1) if your dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
(2) processing is unlawful and you refuse the deletion of the personal data and instead request that the use of the personal data be restricted;
(2) the controller no longer needs the personal data for processing purposes but you do need it to assert, exercise or defend legal claims, or
(4) if you have filed an objection to the processing according to Article 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, this data may only be processed – aside from being stored – with your consent or for the purpose of asserting, exercising or defending rights or for protecting the rights of another natural or legal person or on grounds of important public interest of the European Union or a member state.
If the processing restriction has been restricted in accordance with the aforementioned conditions, you will be informed by the controller before the restriction is lifted.
4. Right to deletion
a) Deletion obligation
You can request that the controller delete the personal data concerning you without delay and the controller obliged to delete this data without delay if one of the following reasons applies:
(1) the personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;
(2) you revoke your consent on which the processing was based according to Article 6 Para. 1 Lit. a or Article 9 Para. 2 Lit. a GDPR and there is no other legal basis for processing;
(3) you file an objection against processing according to Article 21 Para. 1 GDPR and there are no overriding legitimate reasons for processing or you file an objection against processing according to Article 21 Para. 2 GDPR;
(4) the personal data concerning you has been unlawfully processed;
(5) the deletion of personal data concerning you is necessary to fulfil a legal obligation under EU law or the member state law to which the controller is subject;
(6) the personal data concerning you has been collected in relation to information society services offered according to Article 8 Para. 1 GDPR.
Information to third parties
If the controller has made personal data concerning you public and is obliged to delete it according to Article 17 Para. 1 GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to deletion does not exist if processing is required
(1) to exercise the right to freedom of expression and information;
(2) to perform a legal obligation required for processing under EU law or member states’ law to which the controller is subject or to perform a task in the public interest or to exercise public authority that has been given to the controller;
(3) for reasons of public interest in the field of public health according to Article 9 Para. 2 Lit. h and i and Article 9 Para. 3 GDPR;
(4) for archiving purposes in the public interest, academic or historical research purposes or for statistical purposes according to Article 89 Para. 1 GDPR, if the right referred to in a) is likely to make it impossible or seriously impair the attainment of the objectives of this processing or
(5) for asserting, exercising or defending legal claims.
5. Right to notification
If you have exercised your right to have the party responsible correct, delete or limit processing, it is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or processing restriction, unless this proves impossible or involves a disproportionate effort.
You shall also have the right to be informed about these recipients by the controller.
6. Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. Furthermore, you have the right to transmit this data to another controller without any obstruction by the controller to whom the personal data was made available provided that
(1) processing is based on consent according to Article 6 Para. 1 Lit. a GDPR or Article 9 Para. 2 Lit. a GDPR or on a contract according to Article 6 Para. 1 Lit. a GDPR and
(2) processing is carried out using automated methods.
In exercising this right, you also have the right to affect that the personal data concerning you be transferred directly from one controller to another if this is technically feasible. Freedoms and rights of other people may not be affected because of this.
The right to data transferability does not apply to processing personal data necessary for performing a task in the public interest or in the exercise of public authority assigned to the controller.
7. Right to objection
You have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you under Article 6 Para. 1 Lit. e or f GDPR at any time; this also applies to profiling based on these provisions.
The controller no longer processes the personal data concerning you, unless it can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object to the processing of personal data concerning you for the purpose of this kind of advertising at any time; this also applies to profiling if it is in connection with this kind of direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the option of exercising your right of objection using automated procedures in which technical specifications are used, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.
As the data subject, you have the right to file an objection to the processing of personal data relating to you for reasons arising from your personal situation, which is carried out for academic or historical research purposes or statistical purposes in accordance with Article 89 Paragraph 1 unless this processing is necessary for performing a task in the public interest.
8. Right to revoke consent given in accordance with Article 7 Para. 3 GDPR:
You have the right to revoke your consent to the data processing at any time with effect for the future.
In the event of revocation, we will delete the data concerned without delay unless further processing can be based on a legal basis for processing without consent. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
9. Automated decision on a case-by-case basis, including profiling
You have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has legal effect against you or significantly impairs you in a similar manner.
This does not apply if the decision
is necessary for concluding or fulling a contract between you and the controller,
is admissible due to EU law or the member state law to which the controller is subject and where this law contains appropriate measures to safeguard your rights, freedoms and legitimate interests or
takes place with your explicit consent.
However, these decisions may not be based on special categories of personal data according to Article 9 Para. 1 GDPR unless Article 9 Para. 2 Lit. a or g GDPR applies and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.
In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state his own position and to challenge the decision.
10. Right to complain to a supervisory authority
Irrespective of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state in which you are residing, working or suspected of violation, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.