top of page

 

Privacy Policy according to GDPR

Karl Epp

Stand: Mai 2018

 

 

Table of Contents

 

1 responsibility

2 General

3 Use of the website

3.1 Videos and press area

3.2 Facebook

3.3 Contact Form

3.4 Cookies and scripts

4 newsletters & e-mails

5 legal bases

6 Right of information / rights of the person concerned

6.1 Right of information

6.2 Right to rectification

6.3 Restriction of data processing

6.4 Right to cancellation

6.4.1 Obligation to delete

6.4.2 Information to third parties

6.4.3 Exceptions

6.5 Right of information

6.6 Data transferability

6.7 Right to object

6.8 Right to revoke the data protection consent declaration

6.9 Automated decision on a case-by-case basis

6.10 Right to complain to a supervisory authority

7 Data transfer to third parties

8 Deletion of data

9 IT security

 

1 Responsibility

 

Responsible in the sense of the basic data protection regulation and other national data protection laws of the member states as well as other data protection regulations is:

 

Karl Epp

Abraham-Lincolnstr.15

99423 Weimar

Germany

Tel.: ++49 (0) 179 54 17 687

mail@karlepp.de

 

(see also imprint).

 

My company consists of only 1 person, me, who has access to the data stored and processed by me. A legal obligation to appoint a data protection officer according to Art. 37 GDPR does not exist for me. Insofar as I make use of the services of third parties, in particular IT specialists, we have concluded a corresponding order processing contract pursuant to Art. 28 GDPR.

 

 

2 General

 

As with the use of any online offer, the use of www.karlepp.de also incurs data that, especially after the GDPR which came into effect on 25.05.2018, is subject to special data protection regulations as personal data. This was of course already before the introduction of said Regulation by the EU, but the new GDPR brings some innovations and extensions of the protection in comparison to the previously valid national regulations of the german BDSG.

 

In addition to obviously personal data such as name, address, e-mail address, bank account numbers, religious and world-disgusting convictions, preferences and origin data, for example, the IP address of a site visitor also falls under the protection of personal data.

 

My business is based on trust, so it was a matter of course for me even before the introduction of the GDPR that I handle all the data entrusted to me accordingly. For my web offer, however, I am dependent on the services of third parties, especially webhosters to take.

 

The extent to which data is generated and how it is processed depends primarily on how you use my offer.

 

 

3 Use of the website

 

Each time the page is accessed, its IP address is processed by the web server for the duration of the visit. This is mandatory, otherwise no link with the page could be made.

 

To offer my site on the Internet, I use the offer of the external provider "Wix.com Ltd" (webhoster), which also provides the servers for my site. According to own data Wix.com does not collect any use data of site visitors, as far as this is not desired by the customer, as me, for example for statistical purposes. It should be noted here that we do not keep any statistics on the use of this website, in so far a simple visit on my website will not create any data that would allow me to assign to a person. However, as far as the actual data collection and storage of data (for example, for security purposes or errors) by my webhoster is concerned, I must rely on its information. If you would like to read this, you can do so at https://de.wix.com/about/privacy. Since the company Wix.com Ltd. is located outside the EU, it is natural that the data collected by Wix.com may be processed outside the EU. The concrete server locations are unfortunately not known to me.

 

In addition, access to my site is by default SSL-encrypted.

 

3.1 Videos and press area

 

My business lives from the artistic staging. How could they be realized better than by audiovisual presentation? For this reason, you will find on my site various videos, which you can also view directly here. Again, I rely on external service providers, because Wix.com does not offer this service itself, namely on „YouTube" and „Vimeo“. So if you play a video on my site, it automatically accesses YouTube's / Vimeo’s servers for technical reasons. Of course, as far as the videos embedded on my site have been posted on my own YouTube/Vimeo channel, I will of course try to minimize the data generated on demand (for example by regularly disabling usage statistics). However, as far as the videos come from other channels, such as channels operated by other artists, I may have no control over them. YouTube and Vimeo themselves are American companies, so data processing may be outside the EU. In addition, I refer to the privacy policy of YouTube at https://policies.google.com/privacy and Vimeo at https://vimeo.com/privacy.

 

 

3.2 Facebook

 

Of course, I’m also on Facebook. The button on my page is purely a link to my Facebook page. As far as these benefits are concerned, they leave my website and use the services of Facebook. In this regard, I refer to the privacy policy of Facebook at https://www.facebook.com/privacy/explanation. In addition, when using my website no automatic data will be sent to Facebook.

 

3.3 Contact Form

 

If you use my contact form, You contact me directly. In this respect, You send me Your own personal data according to the form fields:

 

  • Name 

  • E-mail address 

  • Message

  • In addition, the following data is automatically saved via Wix.com (see above):

  • the IP address of the contact seeker

  • The country from which the request comes

  • Browser usage data (browser with version)

  • Date and Time

 

When sending the message an automated e-mail will be sent, which will be sent to my e-mail address „mail@karlepp.de“ at my mail and domain host HostEurope. The operator HostEurope exclusively uses server locations within Europe, therefore data are processed exclusively within the EU. An automated dispatch of a confirmation email does not take place.

 

Data stored on the Wix.com servers as part of the contact form will be deleted by me regularly.

 

3.4 Cookies and scripts

 

Also on my side so-called cookies are used. Cookies are small text files that are stored on your computer and stored by your browser. They do not damage your computer, so they contain no malware. They only serve to make my offer more user-friendly, effective and secure (for example, to improve the page load on multiple calls). Most of the cookies I use are so-called "session cookies". They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies allow me to recognize your browser the next time you visit.

 

You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, the acceptance of cookies for certain cases or generally exclude and enable the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

 

In addition to cookies, scripts (Javascript) are also used on my website. These are required for the correct presentation and function of the website, but can also be used for statistical purposes (such as tracking). As already stated, I do not collect any statistical data on the use of my website, however, I have no influence on the use of those scripts, in particular I can not do without them, as these are automatically used by the webhoster when creating the website. These include static.parastorage.com, frog.wix.com, wixstatic.com, gstatic.com.

 

 

4 newsletters & e-mails

 

I may use free newsletters to inform you about new programs or special offers. However, this is only given to those who have previously expressly consented, for example, by providing a contact address for exactly such purposes or has explicitly asked me to receive communications.

 

I do not use an automated shipping system. Anyone who no longer wishes to receive the newsletter can unsubscribe at any time by simply clicking on the link provided in the newsletter.

 

Anyone wishing to register for receiving the newsletter can do so by sending an e-mail to mail@karlepp.de or by using the contact form. Insofar as the registration takes place via my contact form, I must assure myself that no misuse of the e-mail address of the data subject by third parties takes place. For this reason, I send a response message to the specified address, in which I ask again for confirmation. Of course, this is not necessary if you send me a message from the account, which should also be used as the receiving address for receiving the newsletter.

 

E-mails to my e-mail address mail@karlepp.de are processed via my mail and domain host HostEurope. HostEurope is a German provider that only uses server locations within Europe (currently Strasbourg and Cologne), therefore data are processed exclusively within the EU.

 

Insofar as I receive an e-mail from you, I will store this data, especially if they serve to fulfill the contract. Irrelevant emails, however, are immediately deleted by me. As far as the e-mails have legally relevant contents, I store these for evidential purposes according to the legal limitation periods (for example warranty or warranty claims, tax-relevant contents, etc). In the case of legal storage obligations, a deletion is only considered after expiration of the legal storage obligations.

 

The sending of emails via my contact form or via my provider HostEurope is SSL / TLS encrypted. Unencrypted e-mails sent via the Internet are not adequately protected against unauthorized access by third parties. So, when you send me a message from your own account, you make sure that your provider allows you to send / receive emails encrypted.

 

 

5 legal bases

 

The images and videos on my website are all used with the formally permission of the authors and the persons depicted as part of the fulfillment of the contract (Article 6 (1) (b) GDPR).

 

In addition, I store and process only personal data, as far as I have received the explicit prior consent pursuant to Article 6 (1) (a) of the data subject or for the purpose of fulfilling contractual obligations (Article 6 (1) (b) GDPR) or statutory obligations under EU or German law (Article 6 (1) (c) and (e), (3) GDPR).

 

Insofar as data is temporarily stored (eg. usage data to ensure the function of the website), this is done on the basis of Article 6 (f) GDPR.

 

For further information about data deletion see sections (6) and (8) of this document.

 

6 Right of information / rights of the person concerned

 

Although many of the following rights are unlikely to be relevant in the context of my data processing, I would like to clarify as much as possible about the rights of those affected.

 

6.1 Right of information

 

Each person concerned has the right to obtain information about personal data concerning them. You can always contact me. However, I must make sure that the request is also from the person concerned.

 

As far as I process personal data concerning you, you can request information about the following information:

 

  • the purposes for which the personal data is processed

  • the categories of personal data that are processed

  • the recipients or categories of recipients to whom the personal data relating to you have been or will be disclosed

  • the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage

  • the existence of a right to rectification or deletion of personal data concerning you, a right to restrict of my processing or a right to object to such processing

  • the existence of a right of appeal to a supervisory authority

  • all available information on the source of the data if the personal data is not collected from the data subject

  • the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject

  • You have the right to request information about whether your personal information relates to a third country or an international organization. In this connection, you can request the appropriate guarantees in accordance with. Art. 46 GDPR in connection with the transfer.

 

6.2 Right to rectification

 

You have the right to correct and / or complete the personal data concerning you, in so far as these are incorrect or incomplete. I will then make this correction without delay.

 

6.3 Restriction of data processing

 

You may request the restriction of the processing of your personal data under the following conditions:

  • if you contest the accuracy of your personal information for a period that allows me to verify the accuracy of your personal information

  • the processing is unlawful and you refuse to delete the personal data and instead demand the restriction of the use of personal data

  • I no longer need your personal information for the purposes of processing, but you need it to assert, exercise or defend your rights, or

  • if you objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible prevail over your reasons

 

If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest Union or a Member State.

 

If the limitation of the processing are restricted as mentioned above, you will be informed by the person in charge before the restriction is lifted.

 

6.4 Right to cancellation

 

6.4.1 Obligation to delete

 

You may require me to delete your personal information without delay and I am required to delete that information immediately, if any of the following is true:

  • Your personal data is no longer necessary for the purposes for which they were collected or otherwise processed

  • You revoke your consent to the processing gem. Article 6 (1) (a) or Article 9 (2) (a) GDPR and there is no other legal basis for processing

  • According to Article 21 (1) GDPR you veto to the processing and there are no prior justifiable reasons for the processing, or you veto according to Article 21 (2) GDPR to processing

  • Your personal data has been processed unlawfully

  • The deletion of the personal data concerning you is necessary for the fulfillment of a legal obligation under the European Union law or the law of the Federal Republic of Germany

  • The personal data concerning you were collected in relation to information society services offered pursuant to Article 8 (1) GDPR.

 

6.4.2 Information to third parties

 

Insofar as I have made your personal data relevant to you public and are obliged to delete it pursuant to Article 17 (1) GDPR, I shall take appropriate measures, including technical means, to inform any third parties or processors, taking into account the available technology and the implementation costs that you, the affected person, have requested that you delete any links to such personal information or copies or replications of such personal information.

 

6.4.3 Exceptions

 

The right to erasure does not exist if the processing is necessary

  • to exercise the right to freedom of expression and information

  • to fulfill a legal obligation that requires processing under the law of the Union or the Federal Republic of Germany, or to perform a task that is in the public interest or in the exercise of public authority that has been delegated to me

  • for reasons of public interest in the field of public health pursuant to Article 9 (2) (h) and (i) and Article 9 (3) GDPR

  • for archival purposes of public interest, scientific or historical research purposes or for statistical purposes according to Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or

  • to assert, exercise or defend legal claims

 

6.5 Right of information

 

If you have asserted my right to rectify, erase or limit processing, I am required to notify all recipients to whom your personal data have been disclosed of such rectification or deletion of data or limitation of processing unless this proves to be impossible or involves a disproportionate effort.

 

You have the right to be informed about these recipients.

 

6.6 Data transferability

 

You have the right to receive personally identifiable information you provide me in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that

  • the processing on a consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract acc. Art. 6 para. 1 lit. b GDPR is based and

  • the processing is done using automated procedures

 

In exercising this right, you also have the right to obtain that personal data relating to you are transmitted directly by me to another person responsible, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected.

 

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority that has been delegated to me.

 

6.7 Right to object

 

You have the right, at any time, to object to the processing of your personal data, processed according to Article 6 (1) (e) or (f) GDPR, for reasons arising from your particular situation.

 

I no longer process any personal information about you unless I can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, pursuing or defending legal claims.

 

If the personal data relating to you are processed in order to operate direct mail, you have the right to object at any time to the processing of your personal data for the purposes of such advertising.

 

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

 

Regardless of Directive 2002 / 58 / EC, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

 

6.8 Right to revoke the data protection consent declaration

 

You have the right to revoke your data protection declaration at any time.

 

The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

 

6.9 Automated decision on a case-by-case basis

 

You have the right not to be subjected to a decision based solely on automated processing - including profiling - that will have legal effect or similarly affect you in a similar manner. This does not apply if the decision

  • is required for the conclusion or performance of a contract between you and me

  • is permitted by legislation of the Union or the Federal Republic of Germany and this legislation contains reasonable measures to safeguard your rights and freedoms and your legitimate interests, or

  • with your expressly consent.

 

However, these decisions must not be based on special categories of personal data under Article 9 (1) GDPR, unless Article 9 (2) (a) or (g) GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

 

In cases of performance of contract and consent, I take reasonable steps to uphold the rights and freedoms and your legitimate interests, including at least the right to obtain me to intervene, to express my own views and to contest the decision.

 

6.10 Right to complain to a supervisory authority

 

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of your personal data is contrary to GDPR violates.

 

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

 

An overview of the supervisory authorities and state data protection officers can be found at

https://www.datenschutz-wiki.de/Aufsichtsbehörden_und_Landesdatenschutzbeauftragte (german site; this is only exploratory information, for the completeness, correctness, timeliness, etc. of the content we assume no liability)

 

7 Data transfer to third parties

 

Basically, I do not disclose any personal data to any third parties, unless this is absolutely necessary for the fulfillment of the contract. Even in this case, however, I do not do so without first obtaining the consent of the person concerned!

 

I never pass on any personal data for advertising purposes to third parties!

 

Insofar as processors are able to obtain knowledge or access to personal data within the framework of their services (predominantly IT specialists), this is done exclusively on the basis of a corresponding order processing contract pursuant to Article 28 GDPR. In no case I permit the processor to use the data for his own purposes.

 

8 Deletion of data

 

In addition to the right to delete mentioned under No. 6.4, I point out that I generally delete personal data automatically, as long as there is no requirement for further storage. A requirement may exist, in particular, if the data is still needed in order to be able to fulfill contractual obligations, to examine warranty claims and, if applicable, guarantee claims and to grant or defend them. In the case of legal storage obligations, a deletion is only considered after expiration of the respective retention obligation.

 

In this sense, I carry out an audit at least every 12 months in order to sort out and delete obsolete data.

 

9 IT security

 

All the data I store, manage or process in my office is either paper-based or on my single office computer. I use password-protected access and the latest protection software. All personal data are also stored in encrypted databases or directories to which only I have access. For this purpose I produce weekly encrypted backups, also in order to be able to contribute to the clarification and damage determination in case of a data breach. In the event of a breach of data protection (eg. due to hacker attacks, burglary), I will notify the competent supervisory authority and the affected persons as soon as possible and within 72 hours. In case that a data protection violation occurs with a processor, the processor does not have a duty to report directly to the supervisory authorities in accordance with Article 33 (2) GDPR, but only to me. However, this must be done to me immediately and will be forwarded by me accordingly.

 

Überbach, May 25, 2018

bottom of page