- Published: January 4, 2019
New data privacy provisions have come into effect on 25 May 2018 with the EU General Data Protection Regulation. Our following notice will inform you how the German Foundation for International Legal Cooperation (IRZ) processes your personal data and which rights you have under the data privacy law:
1. Details of the controller:
German Foundation for International Legal Cooperation
Contact details of the controller:
Telephone: +49 228 / 9555 0
Fax: +49 228 / 9555 100
Register of Associations of the Local Court of Bonn VR 6349
2. Contact details of the data protection officer:
3. Information about the processing purposes and their legal basis:
The IRZ will process your personal data in due consideration of the EU General Data Protection Regulation (GDPR), the new German Federal Data Protection Act (BDSG - Bundesdatenschutzgesetz) as well as all other relevant legal provisions.
Your personal data will be processed for the purposes of executing or initiating contracts or performing the IRZ's work resulting from the initiative of the parties involved or the IRZ (e.g. organising membership under association law, organising events and seminars or projects of the IRZ). The legal basis is Art. 6 (1) (b) GDPR for these purposes.
Moreover, personal data will be processed for the purpose of fulfilling legal obligations (e.g. transmissions to fiscal authorities or compliance with legal duties to retain data (e.g. Section 147 German Tax Code) which IRZ is subject to. The legal basis is Art. 6 (1) (c) GDPR for these purposes.
Furthermore, personal data will be processed to safeguard the legitimate interests of the IRZ. This is the case e.g. when we store third parties’ contact details or provide information about our work in performing our purposes of association. The legal basis is Art. 6 (1) (f) GDPR for these purposes.
Personal data are ultimately processed on the basis of consents we have been given by the data subjects. The legal basis is Art. 6 (1) (a) GDPR for this purpose.
4. Source of the personal data:
The IRZ will collect personal data obtained from the data subjects themselves or from publicly accessible sources (Internet).
5. Information about categories of recipients of personal data:
Recipients of personal data transmitted on the part of our organisation first of all are any service providers or contractors (e.g. EDP and IT service providers and banking institutions) which will process the personal data on our behalf. They will engage in their activities on the basis of a contract made with the IRZ and will act as processors within the meaning of Art. 28 GDPR.
Furthermore, recipients of personal data are third parties who take over functions on behalf of our organisation within the scope of our activities to the extent this is required for complying with legal obligations or obligations arising from our articles of association.
6. Information about transmission to a third country:
Personal data will be transmitted to third countries to the extent this is required to realise IRZ projects. In this case, the data subjects will be informed about the reference to a third country. Outside the realisation of projects and information about the IRZ’s work no other data will be transmitted to third countries. Third countries are states other than member states of the European Union.
7. Information about storage periods of personal data:
We will store personal data pursuant to a general concept for erasure which applies to the IRZ. Personal data will be classified in erasure classes according to that concept. In this erasure class, storage periods and standard time limits for erasure are attributed to such personal data. After the expiry of the standard time limits the personal data will be deleted.
Personal data stored in connection with the membership or bodies of the IRZ will be erased after the termination of each contract and after the expiry of a period after which any legal claims against us cease to exist, e.g. when they become statute-barred (statutory limitation period not exceeding 30 years, however, in general three years). The same applies to IRZ projects.
As a general rule, your personal data will be erased or anonymised as soon as they are no longer required for the aforementioned purposes, unless we are required to continue their storage pursuant to legal obligations to provide evidence or to retain data (obligations to retain data for a period not exceeding 10 years).
8. Information about the rights of data subjects:
You have the following rights as a data subject pursuant to the GDPR:
- right of access (Art. 15)
- right to rectification (Art. 16)
- right to erasure (Art. 17)
- right to restriction of processing (Art. 18)
- right to object to processing (Art. 21)
- right of data portability (Art. 20)
9. Information about the right to withdraw consent:
If processing is based on Art. 6 (1) (a) GDPR (Consent) or Art. 9 (2) in connection with special types of personal data, i.e. based on consent given by the data subject, we inform you that you have the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before the withdrawal of consent.
10. Information about the right to lodge a complaint:
The following supervisory authority is competent for us:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4, D-40213 Düsseldorf
Data subjects have the right to lodge a complaint pursuant to Art. 77 (1) GDPR if legal provisions have been infringed in processing personal data.
11. Provision of personal data:
The IRZ provides different services which are based on a contract made between you as a data subject and us (e.g. employment contract; contract relating to the participation in events or seminars or projects). You are obliged to provide particular personal data in that respect. These are data which the IRZ requires to fulfil the contracts (e.g. address/payment data). Contracts cannot be made with us, unless these data are provided.
12. Automated decision-making and profiling:
The IRZ does not engage in automated decision-making (e.g. credit rating) or profiling (e.g. information about preferences or the behaviour of data subjects) within the meaning of Art. 22 GDPR.
Notice of August 2018 – you will be given notice of any relevant changes, if necessary.