Data Protection

Stiftung SPI
Seestraße 67
13347 Berlin

Telefon: +49 30 459793-0
Fax: +49 30 459793-66
Email: info(at)stiftung-spi.de

For the central office/institute directorate and for the business units of Vocational Schools, Qualification & Professionalization; of Health, Residence & Employment; of Life Situation, Diversity & Urban Development; of Brandenburg North-West and Brandenburg South-East:
ER Secure GmbH
c/o Stiftung SPI, Seestraße 67, 13347 Berlin
Email: datenschutz(at)stiftung-spi.de

For the Strategies for Social Integration business unit:
Dr. Jan Gregersen
Email: jan.gregersen(at)stiftung-spi.de

We consider it our primary task to maintain the confidentiality of the personal data provided by you and to protect it from unauthorised access. We therefore apply extreme care and state-of-the-art security standards to ensure the maximum protection of your personal data.

As a non-profit foundation under civil law, we are subject to the provisions of the European Data Protection Regulation (GDPR) and the regulations of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures to ensure that the data protection regulations are observed both by us and by our external service providers.

The legislation requires that personal data is processed lawfully, in good faith and in a manner comprehensible to the person concerned ("lawfulness, fairness and transparency"). In order to safeguard these principles, we hereby inform you about the individual legal definitions that are also used in this Privacy Policy:

Personal data means all information relating to an identified or identifiable natural person (hereinafter: ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing is every procedure carried out with or without the help of automated processes or every such operational sequence in connection with personal data, such as the collection, the capturing, the organisation, the allocation, the saving, the adaption or changing, the selection, the querying, the use, the disclosure through transmission, the dissemination or other form of provision, the comparison or the linking, the limitation, the deletion or the destruction of the data.

Limitation of processing is the marking of saved personal data with the goal of limiting its future processing.

Pseudonymisation is the processing of personal data in a way which makes the association of the personal data with a specific data subject no longer possible without using additional information, as long as this additional information is stored separately and subject to technical and organisational measures that guarantee that the personal data cannot be associated with an identified or identifiable natural person.

Filing system means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

A third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent by the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The processing of personal data is lawful only if there is a legal basis for the processing. Legal basis for the processing may, in accordance with Art. 6 paragraph 1a-f GDPR in particular, be if:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. processing is necessary for compliance with a legal obligation to which the controller is subject;
d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In the following, we inform you about the collection of personal data when using our website. Personal data is, for example, name, address, email addresses, user behaviour. When you contact us by email or via a contact form, the data provided by you (e.g. email address, name, telephone number) will be saved by us in order to answer your questions. We delete the data collected in this context once saving it is no longer necessary, or processing is restricted if statutory retention obligations apply.

Collection of personal data when you visit our website
If you merely use the website for information purposes, i.e. if you do not register or provide us with information otherwise, we collect only that personal data which your browser transfers to our server. If you visit our website, we will collect the following data which is technically necessary for us to be able to display our website and guarantee its stability and security (legal basis is Art. 6 paragraph 1 sentence 1f GDPR):

• IP address;
• Date and time of the request;
• Time zone difference from Greenwich Mean Time (GMT);
• Contents of the request (specific page);
• Access status/HTTP status code;
• Amount of data transferred in each case;
• Requesting website;
• Browser;
• Operating system and its interface;
• Language and version of the browser software.

Use of cookies
In addition to the previously mentioned data, cookies will also be saved on your computer when you use our website. Cookies are small text files, which are assigned to the browser you are using and stored on your hard drive, and which send certain information to the site setting the cookie. Cookies cannot run any programs or transmit viruses to your computer. They are used to make the Internet site altogether more user-friendly and effective. This website uses the following types of cookies, the scope and function of which is explained in the following.

• Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These save a so-called session ID through which the different requests of your browser can be associated with the general session. This means that your computer can be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.
• Persistent cookies are automatically deleted after a specified period which differs from cookie to cookie. You can delete the cookies at any time in your browser’s security settings.
• You can configure your browser’s settings according to your wishes and, for example, disallow the acceptance of third-party cookies or all cookies. So-called third-party cookies are cookies which are set by a third party and not by the actual website that you are currently visiting. We point out that you may not be able to use all the functions of this website if you disable cookies.

Further functions and services of our website

1. In addition to the purely informative use of our website, we offer various services that you can use if you are interested. To do this, you must generally provide further personal data, which we use to perform the service in question and to which the above-mentioned basic principles of data processing apply.
2. We sometimes use external service providers for the processing of your data. These have been carefully selected and commissioned by us, are bound by our instructions and are inspected regularly.
3. Furthermore, we may transfer your data to third parties if the conclusion of a contract or similar services are offered by us together with partners. You will be informed about this in greater detail when you provide your personal data or below in the description of the offer.
4. If our service providers or partners are located in a country outside the European Economic Area (EEA), we will inform you of the consequences of this fact in the description of the offer.

External scripts and program libraries
Ajax, jQuery and/or jQueryUI technology is used on this website. In this, the corresponding program libraries are called up by servers at Google, whereby streamlining of the page code and the optimisation of loading speeds is achieved. Google uses the CDN (Content delivery network).
If jQuery has been used previously on another page by Google CDN, your browser will rely on the copy stored in the cache. If this does not apply, it will request a download at Google’s external servers, whereby data from your browser must be provided. These server requests with IP address may be logged there. You will find further information in the Google Privacy Policy.
You can prevent the collection and forwarding of this data by disabling the use of JavaScript in your browser or installing a tool such as “NoScript”. This will, however, restrict some functionality of the website.

Newsletter

1. With your consent, you can subscribe to our newsletter, in which we inform you about our current offers. The advertised goods and services or information are named in the consent form.
2. We use the so-called double-opt-in procedure for registration for our newsletter. This means that we send an email after your registration to the email address provided, in which we ask you to confirm that you want to receive the newsletter. If you fail to confirm your registration within 24 hours, your information will be blocked and deleted automatically after one month. In addition, we save the IP addresses you used and the times of registration and confirmation. The purpose of the procedure is to be able to prove and, if necessary, investigate the possible misuse of your personal data.
3. The only mandatory information for receipt of the newsletter is your email address. The provision of further, separately marked data is voluntary and will be used to be able to address you personally. Following your confirmation, we will save your email address for the purposes of sending you the newsletter. Legal basis is Art. 6 paragraph 1 sentence 1a GDPR.
4. You can revoke the consent you provided for receipt of the newsletter at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in every newsletter email, via this form on the website, by email to redaktion(at)stiftung-spi.de, or by sending a message to the contact address provided in the Legal Notice.

Our services are generally aimed at adults. Persons under the age of 18 should not send personal data to us without the consent of their parents or legal guardians.

1. Revocation of consent If the processing of personal data is based on consent provided by you, you have the right to revoke this consent at any time. The lawfulness of the processing carried out on the basis of the consent up to the point of the revocation is not affected by the withdrawal of consent. You can contact us at any time to exercise your right to revocation.

2. Right to confirmation You have the right to demand confirmation from the controller as to whether or not personal data about you is being processed. You can request the confirmation using the contact details above at any time.

3. Right to information If your personal data is being processed, you can demand information about this personal data and about the following at any time:

• the purposes of the processing;
• the categories of personal data processed;
• the recipients or categories of recipients to whom the personal data was disclosed or will be disclosed, in particular in the case of recipients in third countries or in international organisations;
• if possible, the planned duration for which the personal data will be saved or, if this is not possible, the criteria for determining this period;
• the existence of a right to correct or delete the personal data pertaining to you or to limitation of processing by the controller or the right of objection to this processing;
• the existence of a right to complain to the supervisory authority;
• where the personal data is not collected from the data subject, all available information about the origin of the data;
• the existence of an automated decision-making process including profiling pursuant to Art. 22 paragraphs 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved as well as the scope and the desired effects of this sort of processing for the data subject.

If personal data is transferred to a third country or to an international organisation, you have the right to be informed about the corresponding guarantees in connection with this transfer pursuant to Art. 46 GDPR. We shall provide a copy of the personal data which is the subject of the processing. For all further copies that you request, we can charge a reasonable fee based on administrative costs. If you make the request in electronic form, the information we provide will also be in standard electronic format, unless specified otherwise. The right to receive a copy in accordance with paragraph 3 may not interfere with the rights and freedoms of another person.

4. Right to correction You have the right to demand of us the immediate correction of any incorrect personal data concerning you. In addition, you have the right, taking the purposes of the processing into consideration, to demand the completion of any incomplete data – also by means of a supplementary declaration.

5. Right to deletion (“right to be forgotten”) You have the right to demand of the controller that the personal data concerning you are deleted immediately, and we are obligated to delete this personal data, provided one of the following reasons exists:

• The personal data was collected or otherwise processed for such purposes as are no longer required.
• The data subject revokes the consent on which processing was based in accordance with Art. 6 paragraph 1a or Art. 9 paragraph 2a GDPR and there are no further legal grounds for the processing.
• The data subject objects to the processing in accordance with Art. 21 paragraph 1 GDPR and there are no compelling, legitimate reasons for the processing, or the data subject objects to the processing pursuant to Art. 21 paragraph 2 GDPR.
• The personal data was processed unlawfully.
• The deletion of the personal data is required for the fulfilment of a legal obligation in accordance with EU law or the laws of the member states to which the controller is subject.
• The personal data was collected in relation to services offered by the information society in accordance with Art. 8 paragraph 1 GDPR.

If the data controller has published the personal data and is obligated to delete it in accordance with paragraph 1, the controller shall take reasonable measures (also technological), taking the available technology and costs of implementation into consideration, to inform other parties responsible for the processing of the personal data that the data subject has requested of them, the deletion of all links to this personal data or of copies or replications of this personal data.

The right to deletion does not exist if the processing is necessary:

• for the exercise of the right to freedom of expression and information;
• to comply with a legal obligation which requires the processing pursuant to the law of the EU or the member states to which the controller is subject, or to carry out a duty that lies in the public interest or in the exercise of official authority that has been transferred to the controller;
• for reasons of public interest in the field of public health in accordance with Art. 9 paragraph 2 h and i, as well as Art. 9 paragraph 3 GDPR.
• for archival purposes, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 paragraph 1 GDPR, provided the rights stated in paragraph 1 are expected to make the achievement of the objective of this processing impossible or severely impairs it, or
• for the assertion, exercise or defence of legal claims.

6. Right to the restriction of processing You have the right to require of us the restriction of the processing of your personal data if one of the following conditions exists:

• The accuracy of the personal data is contested by the data subject, and restriction is then for a period which allows the controller to verify the accuracy of the personal data;
• The processing is unlawful, the data subject rejects the deletion of the personal data and instead requires the restriction of the use of the personal data;
• The controller no longer requires the personal data for the purposes of processing, but the data subject requires it for the assertion, exercise or defence of legal claims, or
• the data subject objects to the processing in accordance with Art. 21 paragraph 1 GDPR, in which case restriction will be for as long as it is not yet determined if the legitimate reasons of the controller outweigh those of the data subject.

If the processing is restricted in accordance with the above-mentioned pre-requisites, this personal data – apart from storage – will be processed only with the consent of the data subject, or for the assertion, exercise or defence of legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest of the EU or a member state.
In order to exercise the right to restrict processing, the data subject can contact us at any time at the contact addresses above.

7. Right to data portability
You have the right to receive the personal data about you that you provided to us in a structured, standard and machine-readable format, and you have the right to transfer this data to another controller without hindrance by the current controller to whom the data was given, provided that:

• processing is based on consent pursuant to Art. 6 paragraph 1a or Art. 9 paragraph 2a or on a contract in accordance with Art. 6 paragraph 1b GDPR, and
• processing is carried out by means of automated procedures.

In exercising the right to data portability in accordance with paragraph 1, you have the right to insist that the personal data is transferred directly from one data controller to another, to the extent that this is technically feasible. The right to deletion (“Right to be forgotten”) is unaffected by the exercise of the right to data portability. This right does not apply if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

8. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data relating to you based on Art. 6 paragraph 1e or f GDPR. In the event of objection, the controller no longer processes the personal data, unless it can prove compelling, protection-worthy reasons for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves the assertion, exercise or defence of legal claims.

In connection with the use of services of the information society and notwithstanding Regulation 2002/58/EC, you are also free to exercise your right of objection by means of automated procedure in which technical specifications are used.

You have the right to object, for reasons arising from your particular situation, to the processing of personal data concerning you which serves scientific or historical research purposes or is conducted for statistical purposes in accordance with Art. 89 paragraph 1, unless the processing is necessary for the performance of a task in the public interest.

You can exercise your right to object at any time by contacting the respective controller.

9. Automated decision-making in individual cases, including profiling
You have the right to not be subjected to decision-making based solely on automated processing, which significantly affects you legally or in a similar way. This does not apply when the decision:

• is necessary for the conclusion or the fulfilment of a contract between the data subject and the controller;
• is permissible based on legislation of the EU or the member states to which the controller is subject, and this legislation contains reasonable measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, or
• is taken with the express consent of the data subject.

The controller takes reasonable measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, including at least the right to obtaining the intervention of a person on the part of the controller, to exposition of one’s own position and to contest the decision. The data subject can exercise this right at any time by contacting the respective controller.

10. Right to appeal to a supervisory authority
Without prejudice to another administrative or judicial remedy, you also have the right to appeal to a supervisory authority, in particular in the member state of your residence, workplace or where the alleged violation took place, if the data subject is of the opinion that the processing of the personal data concerning him/her violates this regulation.

11. The right to effective judicial remedy
Without prejudice to any available administrative or extra-judicial remedy including the right to appeal to a supervisory authority in accordance with Art. 77 GDPR, you have the right to effective judicial remedy, if you are of the opinion that the rights granted to you based on this regulation are violated due to processing of your personal data that is not consistent with this regulation.

Go to our data privacy policy in the application process

1. This website uses the Matomo/Piwik web analytics service to analyse and regularly improve the use of our website. We are able to improve our website and make it more interesting for you as the user using the statistics collected. Legal basis for the use of Matomo/Piwik is Art. 6 paragraph 1 sentence 1f GDPR.
2. For this analysis, cookies are stored on your computer. The information thus collected is saved by the controller exclusively on servers located in Germany. You can prevent this analysis by deleting all existing cookies and disallowing the saving of cookies. If you disallow the saving of cookies, we point out that you may not be able to fully use this website. Preventing the saving of cookies is possible through adjusting your browser settings. Preventing the use of Matomo/Piwik is possible by removing the tick in the box below, thus activating the opt-out plug-in.
3. This site uses Matomo/Piwik with the "AnonymizeIP" extension. This means that IP addresses are processed in truncated form, thus excluding direct association with your person. The IP address transmitted from your browser by Matomo/Piwik will not be matched with other data collected by us.
4. The Matomo/Piwik program is an open source project. Information of the third-party provider on data privacy

1. We use Google Maps on this website. We use it to display interactive maps directly on the website and allow you convenient use of the map function.
2. By visiting the website, Google will receive information that you have called up the corresponding sub-page of our website. In addition, the data listed under Section 3 of this policy will be transferred. This happens regardless of whether Google provides a user account through which you are logged in or if there is no user account. If you are logged into Google, your data is associated directly with your account. If you don't want association with your profile at Google, you have to log out before activation of the button. Google saves your data as a user profile and uses this for purposes of advertisement, market research and/or the demand-responsive design of its website. This sort of analysis takes place particularly (even for users who are not logged in) for the provision of demand-responsive advertising and to inform other users of social networks about your activities on our website. You are entitled to object to the formation of this user profile by addressing Google to exercise the right.
3. Further information on the purposes and scope of the data collection and processing by the plug-in provider can be found in the provider’s data privacy policy. There you will receive more information about your relevant rights and options to protect your privacy. Google also processes your personal data in the United States and has subjected itself to the EU-US Privacy Shield.

We work with the following external service providers (sub-contracted data processors) for the maintenance of the website and webhosting, as well as, for example, for the shipping of products, sending out of newsletters or payment processing. A separate data processing order is concluded with every service provider to safeguard the protection of your personal data.

• wilhelm innovative medien GmbH, Neue Bahnhofstraße 18, 10245 Berlin
• Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4 – 6, 32339 Espelkamp
• domainfactory GmbH, Oskar-Messter-Straße 33, 85737 Ismaning
• JAR Media GmbH, Kratzberger Straße 9, 42855 Remscheid