This privacy statement informs you about the form, the extent and the purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the websites, functions and contents associated with it as well as our external online presence, like e.g. our social media profile (hereinafter referred to collectively as “online offering”). With regard to the conceptualities used, such as e.g. “processing” or “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Soeurs du Très Saint Sauveur
(Sisters of the Divine Saviour – Niederbronn Sisters)
2, rue Principale
F – 67110 OBERBRONN
Visitors and users of the online offering (hereinafter we refer to the data subjects collectively as “users”).
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is wide-ranging and includes practically any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In accordance with Article 13 of the GDPR, we inform you about the legal bases of our processing of data. Provided that the legal basis is not mentioned in the privacy statement, the following applies: the legal basis for the obtainment of consent is Article 6 (1)(a) and Article 7 of the GDPR, the legal basis for the processing for the performance of our services and the execution of contractual measures as well as the response to requests is Article 6 (1)(b) of the GDPR, the legal basis for the processing for compliance with our legal obligations is Article 6 (1)(c) of the GDPR, and the legal basis for the processing for the purposes of our legitimate interests is Article 6 (1)(f) of the GDPR. In the event that vital interests of the data subject or of another natural person require the processing of personal data, the legal basis is Article 6 (1)(d) of the GDPR.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
These measures include in particular the ensurance of confidentiality, integrity and availability of data by controlling the physical access to the data, as well as of their respective access, input, transfer, the ensurance of availability and their separation. Furthermore, we have established procedures which guarantee the exercise of the rights of data subjects, the deletion of data and the reaction to compromise of data. In addition, we already take into account the protection of personal data in the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Provided that in the scope of our processing we disclose data to other persons or companies (processors or third parties), transmit those to them or grant them any other kind of access to the data, this occurs solely on the basis of a legal permission (e.g. when a transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract, in accordance with Article 6 (1)(b) of the GDPR), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when agents, web hosts, etc. are involved).
If we commission third parties to process data on the basis of a so-called “processing agreement”, this happens on the basis of Article 28 of the GDPR.
Provided that we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or that this occurs in the scope of the use of third-party services or disclosure or transfer of data to third parties, this is done only if it happens for the fulfilment of our (pre-) contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process data or have data processed in a third country if the special prerequisites are met which are laid down in Article 44 et seq. of the GDPR. This means that the processing occurs e.g. on the basis of particular guarantees, as the officially recognised determination of a data-protection level corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or in compliance with officially recognised contractual obligations (so-called “standard contractual clauses”).
You have the right to obtain confirmation as to whether or not respective data are being processed and to access to those data as well as to further information and a copy of the data, in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you have the right to have incomplete personal data completed and to obtain the rectification of inaccurate data concerning you.
In accordance with Article 17 of the GDPR, you have the right to obtain the erasure of the respective data, or alternatively, in accordance with Article 18 of the GDPR, to obtain restriction of processing of the data.
You have the right to receive the data which you have provided to us, according to Article 20 of the GDPR, and to transmit those data to other controllers.
Furthermore, in accordance with Article 77 of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.
You have the right to withdraw your consent with effect for the future, in accordance with Article 7 (3) of the GDPR.
In accordance with Article 21 of the GDPR, you can object at any time to future processing of data concerning you. The objection can be raised in particular when data are processed for direct marketing purposes.
The term “cookies” describes small files that are saved on the users‘ computers. Within the cookies, a variety of information can be saved. A cookie primarily serves for saving information on a user (or the device on which the cookie is saved) during or even after his visit within an online offering. Temporary cookies, also called “session cookies” or “transient cookies”, are cookies which are deleted after a user leaves an online offering and closes his browser. In such a cookie you can save e.g. the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those that remain saved even after the browser has been closed. Thus, e.g. the login status can remain saved when the users access them several days later. Equally, the interests of the users can be saved in such a cookie, which are used for range measuring or marketing purposes. “Third-Party Cookies” are cookies that are offered by another provider than the controller that operates the online offering (otherwise, if they are only his cookies, you speak about “First-Party Cookies”).
We may use temporary and permanent cookies and inform about this as part of our privacy statement.
In case the users do not want cookies to be saved on their computer, they are asked to deactivate the respective option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional limitations of this online offering.
In accordance with the Articles 17 and 18 of the GDPR, the data processed by us are erased or restricted in their processing. If not expressly indicated in the scope of this privacy statement, the data stored with us is erased as soon as they are no longer necessary for their purpose and if there are no legal retention requirements opposed to their erasure. If the data are not erased because they are necessary for other and legally admissible purposes, their processing is restricted. This means, that the data are blocked and not processed for other purposes. This applies e.g. to data that have to be kept for legal and fiscal reasons.
According to the legal requirements in Germany, the retention occurs in particular for 10 years, in compliance with §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 and 4, Abs. 4 of the commercial code HGB (books, records, status reports, booking documents, trading books, documents relevant for taxation, etc.) and for 6 years in compliance with § 257 Abs. 1 Nr. 2 und 3, Abs. 4 of the HGB (commercial letters).
According to the legal requirements in Austria, the retention occurs in particular for 7 years, in compliance with § 132 Abs. 1 of the BAO (accounting documents, receipts/invoices, accounts, records, business documents, statement of revenue and expenditure, etc.), for 22 years in the context of estates, and for 10 years for documents in connection with electronically rendered services, telecommunication, radio and television services which are rendered to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.
We process data in the context of administrative tasks and organisation of our enterprise, financial accounting and compliance with legal obligations, as e.g. archiving. For this, we process the same data that we process in the scope of the rendering of our contractual services. The bases for the processing are Article 6 (1)(c) and Article 6 (1)(f) of the GDPR. Affected by the processing are clients, interested persons, business partners and website visitors. The purpose and the interest in the processing lies in the administration, financial accounting, office organisation and filing of data, thus tasks that serve for maintaining our business activities, performing our duties and rendering our services. The erasure of data with regard to contractual services and contractual communication corresponds to the statements made in those processing activities.
For this, we disclose data to the financial administration, advisors such e.g. tax consultants or auditors, as well as further tax authorities and payment service providers.
Furthermore, on the basis of our economic interests, we save information on suppliers, organisers and other business partners for the purpose of e.g. contacting them. Those mostly business-related data are basically saved permanently.
We process the data of our members, supporters, interested persons, clients or other persons in accordance with Article 6 (1)(b) of the GDPR, provided that we offer them contractual services, or if we become active in the context of existing business relations, e.g. with members, or if we ourselves are recipients of services and donations. Apart from that, we process the data of data subjects in accordance with Article 6 (1)(f) on the basis of our legitimate interests, e.g. in the case of administrative tasks or public relations work.
The thus processed data, the form, extent and purpose as well as the necessity of their processing are defined by the underlying contractual relationship. This includes basically basic and master data (e.g. name, address, etc.) as well as contact data (e.g. e-mail address, telephone, etc.), the contractual data (e.g. services received, communicated content and information, names of contact persons) and, provided that we offer paid services or products, payment data (e.g. bank account, payment history, etc.).
We erase data that are no longer necessary for the performance of our statutory and business purposes. This is defined according to the respective tasks and contractual relations. In the case of business-related processing, we keep the data for as long as they may be relevant for business processing or with regard to possible guarantee obligations or liabilities. The necessity of keeping the data is examined every three years; apart from that, the legal retention obligations apply.
The hosting services used by us serve for the provision of the following services: infrastructure and platform services, computing capacity, memory space and database services, e-mail dispatch, security services and technical maintainance services which we use for the operation of this online offering.
For this, we or our hosting provider process basic data, contact data, content data, contractual data, usage data, metadata and communication data of clients, interested persons and visitors of this online offering on the basis of our legitimate interest in an efficient and secure provision of this online offering, in accordance with Article 6 (1)(f) of the GDPR in connection with Article 28 of the GDPR (conclusion of contract with processor).