We, the
Carl Duisberg Centren gemeinnützige GmbH,
Hansaring 49–51,
50670 Cologne,
Germany
Contact information for the data protection officer:
datenschutz@cdc.de,
maintain several company pages on the social networks Facebook (hereinafter referred to as the “Facebook network”), Instagram, Twitter, LinkedIn, and Xing. The use of our company social network pages is subject to these third-party providers’ currently valid terms of use and data protection policy, which can be accessed on their respective websites.
Although we cannot control, nor can we monitor these social networks’ processing of your data, we may as an operator of company pages be considered, together with the respective network, jointly responsible for data protection.
For this reason, we will now inform you in the following how – to the best of our knowledge – these social networks’ data processing works and how we use these data (§§ 2 – 5), what rights you have (§ 6), and how long we retain your personal data (§ 7).
All terms used in this Policy are to be understood as defined in the EU General Data Protection Regulations (hereinafter referred to as “GDPR”).
Facebook’s social networks are online platforms that make it possible to publish information, opinions, and media as well as allowing users who are registered and logged on to the platforms (hereinafter referred to as “users”) to interact with one another. Facebook processes personal and other data for several purposes, including to deliver advertising and to personalize such adverts. If personal data is actively inputted or posted on Facebook’s social networks (e.g., in profiles, groups, events, timelines, stories, feeds) or sent over these networks, these data will in all cases be disclosed to Facebook. This also includes the so-called Exif data associated with digital photos and videos (metadata such as time, location, and camera used). Depending on the privacy settings for the particular profile, group, story, etc., which the user can configure, other users are granted access to the personal data that have been actively posted or sent. In addition, Facebook processes data that are not actively posted as follows: connection data (e.g., IP address, browser information, and location) is collected when users and non-users access the platforms, and data relating to users’ behavior on Facebook’s network will be saved. By using so-called cookies, Facebook plugins, and other tracking technology, Facebook also collects additional data about the behavior of users and non-users on other websites outside of Facebook’s networks (e.g., about websites visited and likes).
Please be aware that simply accessing our company page or browsing websites with embedded Facebook plugins may result in personal data being stored by Facebook even if you are not a Facebook user.
Facebook analyzes the content that users actively post on the platforms, compiles the data from users – where applicable, from several different sources – to generate profiles, evaluates the available information, generates summarized statistics, and passes these on to its own customers as a part several of products (including “Facebook Insights”, for more information, see below). In addition, Facebook allows its customers, e.g. app developers, access to its users’ data.
The data processing conducted by Facebook is in part carried out in the USA and other countries outside of the European Economic Area. Therefore, it is possible that data will be transferred to these countries as soon as you visit our company page on Facebook. For these data transfers, appropriate safeguards have been established in accordance with Article 46 GDPR in the form of standard data protection clauses adopted by the European Commission that we have agreed with Facebook and that you can access here: https://www.datenschutz.rlp.de/de/themenfelder-themen/standarddatenschutzklauseln-der-eu-kommission-oder-einer-aufsichtsbehoerde (verified 12/2020). As one of the parties who may be potentially considered responsible for data protect, we are obligated to verify whether the prevailing legal conditions in the country to which these data are transferred are compatible with EU standard data protection clauses; otherwise, there is no appropriate safeguard to act as a justification for these data transfers (Judgement of the Court of Justice of the European Union 16 July 2020, in Case C-311/18). To the best of our knowledge, Facebook may potentially fall under Section 702 FISA, which compels Facebook to grant unrestricted access to US federal agencies without a search warrant for non-US citizens’ personal data. In this case, an appropriate safeguard in accordance with Article 46 GDPR would not exist. However, Facebook has responded to this particular issue and provided assurances that it is acting in accordance with the administrative judgements of the Court of Justice of the European Union. As long as no other regulatory authority or court issues contradictory rulings, we therefore assume that Facebook is able to uphold EU standard data protection clauses.
We are active on Facebook’s social networks for purposes of providing information to our customers, advertising, and to communicate with our customers and interested parties. In order to achieve these objectives, we post news, photos, videos, and texts; we follow clients, freelance employees, or third-party language training companies and travel providers; and we also run promotional contests and campaigns at irregular intervals, free of charge. These activities and content are regularly associated with or contain personal data related to our customers and freelance employees. Naturally, we inform data subjects and seek their consent before posting their personal data. Our company pages are publicly available without any restrictions to all users and third parties. Our groups on the Facebook network are “private”. This means that the Facebook user profiles that can interact with the group and access the contents posted in the group are limited to user profiles admitted by us, and as a rule these user profiles belong to our current and former customers, and our freelance employees. Before we post photos and videos to Facebook, we remove the Exif data from the file (see above for more information). Personal data on our company pages will be deleted after a retention period of seven years at the end of the calendar year in which the retention period expires. During this retention period, our legitimate interest to conduct advertising and inform customers, which justifies this data processing, shall remain in effect (for more information, see below).
We subscribe to “Facebook Insights” and “Instagram Insights”, products that Facebook provides free of charge. These products consist of anonymized, statistically analyzed data on the visitors to our company pages and how these visitors interact on our company pages on the respective social network. They consist of demographic data (e.g., age, gender, language, and employment status), geographic data (e.g., the user’s permanent place residence and current location), information about lifestyle and interests as well as the number of likes, which can be associated with data categories. Insights allows us to draw certain conclusion about the reach and popularity of our company pages and content. Where applicable, we use this information to customize the content. However, we do not systematically analyze the data we receive from Insights. Moreover, we do not target our Facebook activities at particular target groups and thus do not use any additional Facebook services that would, for example, make it possible for us to engage in target-group-specific customer communication. Thus, you will not receive personalized advertising from us under any circumstances.
Our legal basis for uploading and publishing content that includes your personal data on Facebook’s social networks is your consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to Facebook when you visit, view, and use our company Facebook pages as well as our use of Insights is a balancing of interests in accordance with Article 6 No.1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.
Facebook and Carl Duisberg Centren are parties to a joint controller processing agreement in accordance with Article 26 GDPR, which Facebook has concluded with operators of fan pages in Europe. This agreement can be accessed at the following link (verified 12/2020): https://www.facebook.com/legal/terms/page_controller_addendum
In essence, this agreement stipulates the following:
As a result, you may direct data protection inquiries and requests to exercise your right listed in § 6 of this Policy that relate to our company pages on Facebook’s social networks to us. In addition, you may also direct any objections to data processing carried out on the basis of a balancing of interests to us, as detailed in § 6 of this Policy. However, you should direct all data protection inquiries and requests to exercise your right listed in § 6 of this Policy that relate to the Facebook network to: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Contact form: https://www.facebook.com/help/contact/540977946302970 (for use outside of the USA and Canada).
We use the microblogging service provided by the company Twitter Inc. (hereinafter referred to as “Twitter”) for the purposes of providing information to our customers and for advertising. To accomplish this, we post (“tweet”) texts and media that relate to our services offered and events on our company account. In the course of these activities, we also tweet personal data of customers and freelance employees but only after notifying the data subjects and obtaining their consent. The personal data in question that we may post are names, email addresses, personal Twitter handles, photos, videos as well as weblinks to further content that contains personal data. In addition, we react to tweets of third parties (“likes”) and forward these (“retweeting”). Our tweets and reactions are always set to public, and we do not restrict the visibility of our activities using the account settings or any special tools available from Twitter. As a result, the abovementioned personal data are not only disclosed to Twitter, but they are also freely available to an indeterminate number of Twitter users and non-users on the Internet.
The data processing conducted by Twitter is in part carried out in the USA and other countries outside of the European Economic Area. Therefore, it is possible that data will be transferred to these countries as soon as you visit our company account on Twitter. For these data transfers, appropriate safeguards have been established in accordance with Article 46 GDPR in the form of standard data protection clauses adopted by the European Commission that we have agreed with Twitter and that you can access here: https://www.datenschutz.rlp.de/de/themenfelder-themen/standarddatenschutzklauseln-der-eu-kommission-oder-einer-aufsichtsbehoerde (verified 12/2020). The legal basis for uploading and publishing of content that includes your personal data on the Twitter network is your consent in accordance with Article 6 No. 1 a) GDPR.
Twitter itself conducts further data processing. As we do not restrict the reach of our posts on Twitter and only use Twitter’s free services, which do not give us access to any of Twitter’s analytical data or other functions (e.g. ad tracking) that would enable us to direct our activities to specific target groups, we have no influence on Twitter’s further processing of data. Accordingly, Twitter alone decides about the methods used and the purpose of further data processing and is in this respect solely responsible for data protection. As such, all data protection inquiries and requests to exercise your right listed in § 6 of this Policy that relate to Twitter should be directed to Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland; Contact form: https://twitter.ethicspointvp.com/custom/twitter/forms/data/form_data.asp (for users in Europa).
We maintain a presence on the social networks from the third party companies Xing SE (hereinafter referred to as “Xing”) with our official company profile as well as the individual profiles of our employees, who use these for professional purposes. Xing provides a social network that is focused on professional networking, which allows registered users to publish text and media as well as facilitating communication between users. Due to the fact that Xing is principally responsible for deciding the methods employed and purposes for which data is processed on its network, Xing is responsible for data protection relating to the use of its network. As such, you can direct all data protection inquiries and requests to exercise your right listed in § 6 of this Policy that relate to its networks to: XING SE, Dammtorstraße 30, 20354 Hamburg, Germany; E-Mail: info@xing.com.
Xing processes personal data for various purposes including for-profit placement and optimization of advertising and to compile and provide statistical data to its customers. If personal data are actively entered on the Xing network (e.g., registration data, profile data including photos, contacts, participation in events, reactions such as “likes”, data in posts, groups, and messages), these data will in all cases be disclosed to Xing. The only exception is data contained in private messages sent using the more recent versions of the Xing app (starting 5 April 2018) if end-to-end encryption is activated. In addition, other registered users on the Xing network, non-registered users, and external providers of integrated apps may – depending on the privacy settings that the user has activated – have access to the personal data that the user has actively posted. Moreover, Xing collects other data not actively inputted by the user: when accessing the network, the user’s IP address, device and browser type as well as location are saved. With the help of so-called cookies and other tracking technology, Xing collects a wide range of data about the behavior of registered users on the Xing network and outside the Xing network, e.g. information about websites viewed, searches conducted, and whether or not direct marketing emails have been opened. In addition, Xing processes the personal data of data subjects who do not use the Xing network if registered users have uploaded non-user contact data to their Xing address book. Xing analyzes the data actively inputted on the network, evaluates the user behavior, and compiles these data together to create a profile. Such profiles allow Xing to among other things personalize advertising content that users see on the network or that they receive by email. Additionally, Xing generates summarized statistics from these data, which Xing provides to users and other customers. Users receive free of charge a “weekly overview” with job postings and personalized contact matches as well as anonymized, statistical information about visitors to their profile and search queries relating to them.
We use Xing as an advertising platform. Specifically, our employees use the abovementioned profiles to post, share, or react to (“like”) texts and media that relate to our services offered and events on all conceivable channels available on the platform (e.g., posts, groups, events). When engaging in such advertising activities, we make all posts public and do not restrict the visibility of our activities. In addition, we communicate individually with customers and freelance employees to deliver advice and for marketing purposes. Personal data of customers and freelance employees will only be posted on these networks if we have obtained the data subject’s consent to do so. The personal data in question that we may post are names, personal network handles as well as photos. We do not use any additional paid services offered by Xing. We do not engage in any targeted advertising. We only receive anonymized statistics, specifically the abovementioned “weekly overview”. We do not systematically evaluate and analyze these data. These data do not provide us a sufficiently detailed picture about the reach and effect of our activities on these networks that would allow us to target our activities and our advertising in particular to specific target groups. However, our employees do when appropriate contact individual users that have been suggested by Xing.
Our legal basis for uploading and publishing of content that includes your personal data on the Xing network is your consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to the particular network when you visit, view, and use our company pages as well as our use of “weekly overview” is a balancing of interests in accordance with Article 6 No.1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.
We maintain a presence on the social networks from the third party company LinkedIn Ireland Unlimited Company (hereinafter referred to as “LinkedIn”) with our official company profile as well as the individual profiles of our employees, who use these for professional purposes. LinkedIn provides a social network that is focused on professional networking, which allows registered users to publish text and media as well as facilitating communication between users. The currently valid terms of use and the data protection policies of LinkedIn apply to all activities on these networks. Due to the fact that LinkedIn is principally responsible for deciding the methods employed and purposes for which data is processed on its network, LinkedIn is responsible for data protection relating to the use of its network. As such, you can direct all data protection inquiries and requests to exercise your right listed in § 6 of this Policy that relate to its networks to: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; contact form: https://www.linkedin.com/help/linkedin/ask/TSO-DPO (for users from Europe).
LinkedIn processes personal and other data for various purposes including for-profit placement and personalization of advertising, for research purposes including research on topics such as trends in the labor market, and to provide statistical data to its customers. If personal data are actively entered on the LinkedIn network (e.g., registration data, profile data including photos, address books, calendar data uploaded using synchronization tools in other programs, participation in events, reactions such as “likes”, data in posts, groups, and messages), these data will in all cases be disclosed to LinkedIn. Profile data are completely visible to registered users of LinkedIn, and – should the user choose to activate the appropriate setting – these data are also visible to non-registered users. Depending on the settings for groups, posts, reactions, messages, etc., the remaining actively posted data are visible to registered and non-registered users of LinkedIn. If the user has activated permissions for the account to be linked with external service providers, then these providers will also have access to the profile data and contacts. When a company profile has been established, the employer can also view and manage certain activities of its employees. LinkedIn uses scanning technology to analyze chat messages. In addition, LinkedIn collects other data not actively inputted by the user: when accessing the network, the user’s IP address, device and browser type as well as location are saved. With the help of cookies and other tracking technology, LinkedIn collects additional data about the user behavior, e.g. information about searches conducted for other registered users, videos watched, and ads clicked on. Data are also collected about behavior of registered users outside of the LinkedIn network, e.g. information about websites viewed, searches conducted, and whether or not direct marketing emails have been opened. Moreover, LinkedIn collects data relating to data subjects, which has been disclosed to LinkedIn by its registered users, e.g. in connection with contacts or synchronized calendars, and some of these data may be related to people who do not use the LinkedIn network. The data collected by LinkedIn will be analyzed to create a profile. Such profiles allow LinkedIn to among other things personalize advertising content that users see on the network and on external sites or that they receive by email, which may also be sent to non-users. Additionally, LinkedIn generates summarized statistics from these data, which LinkedIn provides to users and other customers. Users receive free of charge an anonymized “analytics” of posts, videos, and articles they have published on the network, which contains information on the number of view for each post, “likes”, shared posts, and the demographic background of the audience, including company affiliation, job title, and location.
The data processing conducted by LinkedIn is in part carried out in the USA and other countries outside of the European Economic Area. Therefore, it is possible that data will be transferred to these countries as soon as you visit our company page on LinkedIn. For these data transfers, appropriate safeguards have been established in accordance with Article 46 GDPR in the form of standard data protection clauses adopted by the European Commission that we have agreed with Twitter and that you can access here: https://www.datenschutz.rlp.de/de/themenfelder-themen/standarddatenschutzklauseln-der-eu-kommission-oder-einer-aufsichtsbehoerde (verified 12/2020).
We use LinkedIn as an advertising platform. Specifically, our employees use the abovementioned profiles to post, share, or react to (“like”) texts and media that relate to our services offered and events on all conceivable channels available on the platform (e.g., posts, groups, events). When engaging in such advertising activities, we make all posts public and do not restrict the visibility of our activities. In addition, we communicate individually with customers and freelance employees to deliver advice and for marketing purposes. Personal data of customers and freelance employees will only be posted on these networks if we have obtained the data subject’s consent to do so. The personal data in question that we may post are names, personal network handles as well as photos. We do not use any additional paid services offered by LinkedIn. We do not engage in any targeted advertising. We only receive anonymized statistics, specifically the abovementioned “analytics”. We do not systematically evaluate and analyze these data. These data do not provide us a sufficiently detailed picture about the reach and effect of our activities on these networks that would allow us to target our activities and our advertising in particular to specific target groups. However, our employees do when appropriate contact individual users that have been suggested by LinkedIn.
Our legal basis for uploading and publishing of content that includes your personal data on the LinkedIn network is your consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to the particular network when you visit, view, and use our company pages as well as our use of “analytics” is a balancing of interests in accordance with Article 6 No.1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.
Regarding your personal data that we control, you have the following rights according to the standards laid out in the GDPR:
a) Right to information
b) Right to rectification or deletion
c) Right to restriction of processing
d) Right to withdraw consent: You may withdraw consent at any time and free of charge; however, such a withdrawal of consent does not affect the permissibility of processing for the time period before which notification of the data subject’s withdrawal of consent was received.
e) Right to object to processing: If our processing of your personal data is in conflict with the balancing of interests, you can object to the processing at any time, free of charge. In your objection, we kindly ask that you present the reasons why we should not process your personal data in the manner intended by us. In cases where the objection is justified, we will suspend or as appropriate modify the data processing, or we will provide you with our prevailing interests that justify our continued processing of your personal data. You may object to the processing of your personal data for marketing purposes at any time, free of charge, and without providing any reason for your objection. Should you object to this processing, we will no longer process your personal data for these purposes.
f) Right to data portability
g) In addition, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The data protection supervisory authority responsible for oversight of CDC is:
Landesbeauftragte für den Datenschutz und
Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
To exercise your rights, you can contact us at any time by using the contact details provided above in §1 of this Policy or a contact form on our websites.
We delete personal data as soon as they are no longer needed for the purpose that they were collected or other legitimate purposes. Posts on our company social media accounts which contain personal data will be removed by us at the latest after seven years at the end of the calendar year.
Excepted from these rules are personal data that we are legally required to keep for longer periods to comply with statutory guidelines or to fulfill statutory record keeping requirements (e.g., business correspondence that has led to the conclusion of contracts).
As an alternative to deletion, we may completely anonymize data so that we can retain the data for a longer period in order to aid in quality management and for statistical purposes. After anonymization, the data are no longer able to be associated with an individual person and do not infringe on your right to data protection.