Privacy Policy

Welcome to our website!

We are delighted that you are interested in our website. Protecting your privacy is very important to us. Following, please find detailed information about how we use your data.


This website uses a SSL encryption for purposes of security and to protect the transmittance of your data that you send to us as the website operator. You can recognise that you have an encrypted connection as the address line of you browser changes from http:// to https:// and there appears a lock indicator icon. If the SSL encryption is activated, your data transmitted to us cannot be read by any third party.


In this Privacy Policy you can find information on the kind, scope and purpose of the processing of personal data (hereinafter “data”) within our organization, in particular our online services and the related websites, features and contents as well as external online appearances such as our social media profile (hereinafter collectively the “online offering”). With respect to certain defined terms used herein, such as “processing” or “controller”, please refer to Art. 4 of the General Data Protection Regulation (GDPR).


Controller

Fotografie Forum Frankfurt

Braubachstraße 30–32

60311 Frankfurt am Main

contact@fffrankfurt.org

operating entity: Förderkreis Fotografie Forum Frankfurt e.V.

board: Dr. Thomas Duhnkrack (chairman), Dr. Angela Hildebrand (deputy), Dr. Aurelio Fichter, Michael Leppert, Dr. Paula Macedo Weiß

IMPRINT


Nature of Data processed:

  • base data (e.g., name, address, membership number)
  • contact data (e.g., email address, telephone number)
  • content data (e.g., text input, photos, videos)
  • usage data (e.g., websites visited, interest shown regarding content, access times)
  • meta/communication data (e.g., hardware information, IP addresses).

In addition to the above, we process

  • contract data (e.g., contract matter, term, client category)
  • payment data (e.g., account details, payment history)

of our customers and clients, interested parties and business partners for the purposes of meeting contractual obligations, providing services and customer care, marketing, publicity and market research.


Categories of data subjects

Visitors and users of the online offering (hereinafter collectively also referred to as “users”), members, supporters, customers and clients, interested persons and business partners, as well as staff.


Purpose of processing

  • The provision of services under our business purpose and articles, as well as related organization and management. (Den folgenden Satz bitte noch in der deutschen Version einfügen: Die Erbringung von Leistungen gemäß unserem Geschäftszweck und unserer Satzung sowie die damit verbundene Organisation und Verwaltung.)
  • The provision of the online offering, its features and contents.
  • The answering of contact requests and communication with users.
  • Security measures.
  • Coverage measurement / marketing.


Defined terms used

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This term is rather comprehensive and covers virtually any usage of data.


“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;


“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.


“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.


“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


Relevant legal basis

We hereby inform you on the legal basis for the processing as required by Art. 13 of the GDPR. To the extent such legal basis is not explicitly mentioned herein, the following applies: The legal basis for obtaining consents is Art. 6 para. 1 point (a) and Art. 7 of the GDPR; the legal basis for processing necessary to provide our services, perform contracts or answer requests is Art. 6 para. 1 point (b) of the GDPR; the legal basis for processing necessary to comply with our legal obligations is Art. 6 para. 1 point (c) of the GDPR; and the legal basis for processing necessary for the purposes of our legitimate interests is Art. 6 para. 1 point (f) of the GDPR. In the event that vital interests of a data subject or of another natural person necessitate the processing of personal data, the legal basis therefor is Art. 6 para. 1 point (d) of the GDPR.


Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with Art. 32 GDPR.


Such measures include, in particular, the protection of confidentiality, integrity and availability of data by controlling the physical access to these data as well as the related technical access, input, transfer, safeguarding of availability, and segregation. Moreover, we have implemented procedures to safeguard the exercise of rights by data subjects, the deletion of data and the reaction to any danger to the data. In addition, we consider the protection of personal data already when developing or selecting hardware, software and procedures, in line with the principle of data protection by design and by default (Art. 25 GDPR).


Cooperation with processors and third parties

In the event that we disclose, transfer or other grant access to, data to other persons or enterprises (processors or third parties) as part of our processing, this shall only occur as and when permitted by law (e.g., if data transfer to a third party such as a payment services provider is necessary for the performance of a contract pursuant Art. 6 para. 1 point (b) GDPR), consented by you, provided for by a legal obligation, or covered by our legitimate interests (e.g., when using agents, web hosts, etc.).


Any mandating of third parties with the processing of data on the basis of a contract shall be made in accordance with Art. 28 GDPR.


Data transfers to third countries

Any processing of data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) by us, or in connection with our use of services by, or our disclosure or transfer, respectively, of data to, third parties, shall only occur to meet our obligations under, or prior to entering into, a contract, or on the basis of your consent, a legal obligation, or our legitimate interests. Subject to any legal or contractual permissions we process, or let process, data in third countries only under the specific conditions of Art. 44 et seqq. GDPR. E.g., the processing shall be subject to appropriate safeguards such as the officially recognized determination of a data protection level equivalent of that within the EU (e.g., for the USA by the “Privacy Shield”) or the adherence to officially recognized special contractual obligations (so-called “standard clauses”).


Rights of the data subjects

You have the right to obtain from us confirmation as to whether or not data concerning you are being processed, and to access to any such data as well as to further information and a copy of such data, all in accordance with Art. 15 GDPR.


You have the right pursuant to Art. 16 GDPR to have incomplete or inaccurate data concerning you completed or rectified.


You have the right in line with Art. 17 GDPR to obtain erasure of data concerning you without undue delay or, alternatively, restriction of processing under Art. 18 GDPR.


You have the right to receive pursuant to Art. 20 GDPR the data concerning you which you have provided to us, and to require their transmission to another controller.


Moreover, you have the right under Art. 77 GDPR to lodge a complaint with the competent supervisory authority.


Right of withdrawal

You have the right to withdraw your consent according to Art. 3 para. 3 GDPR with effect as to the future.


Right to object

Under Art. 21 GDPR, you have the right to object at any time to future processing of data concerning you. In particular, you may object to processing for direct marketing purposes.


Cookies and right to object to direct marketing

The term “cookie” refers to small files that are stored on your end device and that may save various sorts of information. Cookies primarily serve to save information on the user (or the device on which the cookie is stored, respectively) during and also after his or her visit to an online offering. Temporary cookies, also referred to as “session cookies” or “transient cookies”, are deleted after the user leaves the online offering and closes his or her browser. Such cookies may, e.g., store the content of a shopping cart in an online shop, or a login status. “Permanent” or “persistent” cookies remain on your end device also after you close your browser. Thus, for instance, the login status may be stored for when the user revisits the online offering several days later. Such cookies may also save the interests of a user for coverage measurement or marketing purposes. “Third party cookies” refers to cookies used by providers other than the controller operating the online offering (otherwise, if used only by such controller, referred to as “first party cookies”).


We may use temporary as well as permanent cookies and inform you thereof in this privacy policy.


If users do not want cookies to be stored on their end device, they are kindly asked to (de)activate the respective option in the system settings of their browsers. Any cookies stored can be deleted via such browser settings. By not accepting cookies in general, the functionality of our website might be limited.


General objection to the use of cookies used for online marketing purposes can, with respect to a great many of services, in particular in the event of tracking, be declared via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Moreover, disabling them in your browser settings can prevent the storage of cookies. Please note, however, that this might limit the functionality of our website.


Erasure of data

Data processed by us will be erased or restricted with respect to their processing in accordance with Art. 17 and 18 of the GDPR. Unless explicitly stated herein, data stored with us will be erased where they are no longer necessary in relation to their purpose, unless applicable legal retention obligations prevent such erasure. To the extent such data are not erased as they are necessary for other legally permitted purposes, their processing will be restricted. I.e., the data will be blocked and not used for other purposes. E.g., this applies to data required to be retained for commercial law or tax law reasons.


Under German law there is, in particular, a mandatory retention period of 10 years pursuant to Sect. 147 para. 1 of the General Tax Code and Sect. 257 para. 1 nos. 1 and 4, para. 4 of the Commercial Code (books, records, management reports, receipts, books of account, tax relevant documents, etc.) or 6 years pursuant to Sect. 257 para. 1 nos. 2 and 3, para. 4 Commercial Code (business letters), respectively.


Contractual services

We process the data of our contract partners and interested parties as well as other sponsors, customers and clients or parties (collectively referred to as “contract partners”) according to Art. 6 para. 1 point (b) GDPR in order to perform a contract or take steps requested prior to entering into a contract. The data so processed as well as their kind, scope, purpose and necessity of processing depend on the underlying contract.


The data processed include the base data of our contract partners (e.g., name and address), contact data (e.g., email address and telephone number) as well as contract data ( e.g., services requested, contract contents, contractual communication, names of contact persons) and payment data (e.g., bank information, payment history).


We generally do not process special categories of personal data, except as part of a processing in line with a specific mandate or contract.


We process data necessary for the establishment or performance of contractual obligations, and inform about the necessity of their provision unless evident for the contract partner. Disclosure to external persons or enterprises is only made if necessary in connection with a contract. When processing data provided to us in connection with a mandate, we act in line with the principal’s instructions and legal requirements.


In the context of the use of our online offering we may store the IP address and the time of the respective user action. Storage is made on the basis of our legitimate interests as well as the interests of the user to be protected against misuse and other unauthorized usage. Such data are generally not transferred to third parties, unless necessary to pursue our interests pursuant to Art. 6 para. 1 point (f) GDPR or there is a legal obligation as stipulated in Art. 6 para. 1 point (c) GDPR.


Data are erased if they are no longer necessary to meet contractual or legal fiduciary duties or to account for any warranty or similar obligations, whereby the necessity of such data retention is checked every three years; otherwise, the legal retention requirements apply.


External payment services providers

We engage external payment services providers to enable users and us to perform payment transactions via their platforms (e.g., in each case with link to their privacy policy, Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/), Visa (https://www.visaeurope.com/privacy/),
MasterCard (https://www.mastercard.co.uk/en-gb/about-mastercard/what-we-do/privacy.html).


In the context of contract performance we engage these providers on the basis of Art. 6 para. 1 point (b) GDPR. Otherwise, the legal basis for engaging external payment services providers are our legitimate interests pursuant to Art. 6 para. 1 point (f) GDPR in order to offer our users an effective and secure payment channel.


Data processed by the payment services providers include base data (e.g. name and address), bank data (e.g., account or credit card number, passwords, TANs and checksums) as well as contract, amount or payee-related information. Such information is necessary to perform the transaction. The data input will, however, only be processed by, and stored with, the payment services provider. I.e., we do not receive account or credit card related information, but only information regarding the confirmation or rejection of payment. The payment services provider may possibly forward the data to commercial credit reporting agencies for identity and solvency check purposes. In that respect we refer to the terms and conditions and privacy policies of the payment services providers.


The payment transactions are subject to the terms and conditions and privacy policies of the respective payment services providers available on the relevant websites or via the transaction applications. We refer thereto also for further information and for claiming rescission, information or other rights.


Administration, financial accounting, office and contact management

We process data in connection with administrative tasks as well as business administration, financial accounting and compliance with legal requirements, e.g. on archiving and data retention. The data processed in that context are the same data we also process when performing our contractual obligations. The legal basis for such processing is Art. 6 para. 1 points (c) and (f) GDPR. Data subjects concerned include customers and clients, interested parties, business partners and visitors to our website. The purpose of, and our legitimate interest in, such processing includes the administration, financial accounting, office management and data archiving, i.e. tasks supporting the maintenance of our business operations, the performance of our obligations and the provision of our services. Data erasure with respect to contractual obligations, services and communication conforms to the information otherwise given herein with respect to these processing activities.


In this context, we disclose or transmit data to the financial authorities, advisers and consultants (e.g., tax advisers, auditors), and further toll agencies and payment services providers.


Moreover, we store information related to suppliers, organizers and other business partners based on our economic interests, e.g. for future contacts. Such data, the majority of which are enterprise related, are generally stored permanently.


Providing services according to our articles and business

We process the data of our members, sponsors, interested persons, customers and clients as well as other persons in line with Art. 6 para. 1 point (b) GDPR, to the extent we provide them with contractual services or act as part of an existing business relationship, e.g. towards our members, or receive services and contributions ourselves. Otherwise, we process the data of data subjects according to Art. 6 para. 1 point (f) GDPR based on our legitimate interests, e.g. in the case of administrative tasks or public relations.


The data so processed, the kind, scope, purpose as well as the necessity of their processing depend on the underlying contractual relationship. This generally includes base data of the data subjects (e.g., name, address, etc.) as well as contact data (e.g., email address, telephone, etc.), contract data (e.g., services received, names of contact persons) and, to the extent we provide chargeable services and products, payment data (e.g., bank account, payment history, etc.)


We erase data that are no longer necessary for the provision of services according to our articles and business, which depends on the tasks and contractual relationships in question. In the event of commercial processing we store the data as long as they might be relevant for the performance of the transaction as well as for potential warranty and liability obligations. The necessity of storage is checked every three years; otherwise the statutory retention obligations apply.


Making contact

In the event of a contact (e.g., via email, telephone or social media) the information given by the user is processed in order to answer and execute the contact request according to Art. 6 para. 1 point (b) GDPR. The user information may be stored in a customer relationship management (CRM) system or comparable contact management tool.


We erase the requests when they are no longer necessary, which is checked every two years; otherwise the statutory retention obligations apply.


Newsletter

The following provides you with information on the contents of our newsletters, the procedures for opting-in, distribution and statistical analysis, as well as your right to object. By subscribing to our newsletters you agree to their receipt and the procedures described.


Content of the newsletters: We distribute newsletters, emails and other electronic notifications with promotional content (hereinafter “newsletter”) only with the recipients’ consent or a statutory permission. In the event the contents of a newsletter are described in some detail in the context of a subscription, the users’ consent is based thereon. Otherwise our newsletters contain information on us and our services.


Double-Opt-In and logging: Subscription of our newsletter occurs via a so-called Double-Opt-In procedure. I.e., upon initial opt-in you receive an email in which you are asked to confirm your subscription. Such confirmation is required to ensure that nobody can subscribe with someone else’s email address. Newsletter subscriptions are logged to be able to prove the subscription process in line with applicable legal requirements. That includes storage of the subscription and confirmation date and time as well as the IP address. Moreover, any changes to your data stored with the distribution services provider are also logged.


Subscription data: In order to subscribe to the newsletter it is sufficient if you provide us with your email address. We kindly ask you to optionally also provide a name to allow for personalized salutation in the newsletter.


Distribution of the newsletter, as well as related performance measurement, are based upon the recipients’ consent pursuant to Art. 6 para. 1 point (a), Art. 7 GDPR in connection with Sect. 7 para. 2 no. 3 UWG (German act against unfair competition) or, where such consent is not required, upon our legitimate interest in direct marketing pursuant to Art. 6 para. 1 point (f) GDPR in connection with Sect. 7 para. 3 UWG.


Logging of the subscription procedure is based upon our legitimate interests according to Art. 6 para. 1 point (f) GDPR to apply a user friendly and secure newsletter system that meets both our business interests as well as the users’ expectations, and provides evidence of consents.


Termination / Withdrawal – You may terminate (unsubscribe) the receipt of our newsletter at any time, i.e. withdraw your consent. A link to the termination of the newsletter can be found at the end of each newsletter. Prior to erasing any unsubscribed email addresses we may retain them for a period of up to three years based on our legitimate interest of being able to prove a pre-existing consent. Processing of such data will be limited to the purpose of a potential defence against claims. Individual application for erasure is possible at any time, provided the previous existence of a consent is confirmed at the same time.


Newsletter - CleverReach

The newsletter is distributed via the distribution services provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. Their privacy policy can be viewed here: https://www.cleverreach.com/en/privacy-policy/. We engage such distribution services provider on the basis of our legitimate interests pursuant to Art. 6 para. 1 point (f) GDPR and a processing contract pursuant to Art. 28 para. 3 sentence 1 GDPR.


The service provider can use the recipients’ data in pseudonymised form, i.e. without attribution to a specific user, in order to optimize or improve its services, e.g. for technical optimization of the distribution or presentation of the newsletter or for statistical purposes. It does not, however, use the data of our newsletter recipients to write to these recipients itself, nor to transfer such data to third persons.


Newsletter – performance measurement

The newsletters contain a so-called web beacon, i.e. a file of pixel size, that is retrieved from our server, or from the server of a distribution services provider engaged by us, when the newsletter is opened. In the context thereof, certain technical information such as data relating to the browser or to your system as well as your IP address and the time of retrieval is collected.


Such information is used for technically improving the services based on the technical data or the target recipients and their reading habits according to the places from which the newsletter is accessed (which can be determined via the IP address) or the access times. Statistical analyses also include whether and when the newsletters are opened and which links are clicked. Although for technical reasons this information may be attributed to individual newsletter recipients, it is neither our intention, nor that of any distribution services provider engaged by us, to monitor individual users. The analyses rather serve us for discovering our users’ reading habits and adapting our contents thereto or distributing different contents according to different users’ interests.


Unfortunately, separate withdrawal from the performance measurement is impossible; in that case the entire newsletter subscription must be terminated.


Hosting and email distribution

The hosting services received by us serve the following purposes: infrastructure and platform services, computing capacity, storage capacity and data bank services, email distribution, security services as well as technical maintenance used for the operation of our online offering.


In that context we or our hosting provider, as the case may be, process base data, contact data, content data, contract data, usage data, meta and communication data of customers and clients, interested persons and users of our online offering based on our legitimate interests in an efficient and secure provision of our online offering according to Art. 6 para. 1 point (f) in connection with Art. 28 GDPR.


Collection of access data and log files

Based on our legitimate interests pursuant to Art. 6 para. 1 point (f) GDPR, we or our hosting provider, as the case may be, collect data on each access to our server hosting this service (so-called server log files). Such access data include name of the website accessed, file, date and time of the access, data amount transferred, confirmation of successful access, browser type and version, the user’s operation system, referrer URL (the website used before), IP address and the requesting provider.


For safety reasons (e.g., to discover acts of misuse or fraud), log file information is stored for a period of up to seven days, and discarded thereafter. Any data the further retention of which is necessary for evidence reasons are exempt from erasure pending final clarification of the relevant incident.


Google Analytics

We use Google Analytics, a web analysis service of Google, Inc. (“Google”), based on our legitimate interests (i.e., our interest in the analysis, optimization and economic operation of our online offering pursuant to Art. 6 para. 1 point (f) GDPR). Google uses cookies. The information generated by the cookie concerning your use of this online offering is as a rule transmitted to a server of Google in the USA and stored.


Google is certified under the Privacy Shield treaty and thus guarantees to comply with European data protection rules (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).


Under authority of this website’s provider, Google will use this information to evaluate the use of this website, to compile reports on the website activity and to provide other services for the website operator related to the use of the website and of the internet. In this context, the data processed may be combined to pseudonymised usage profiles of the users.


We only use Google Analytics with activated IP address anonymisation. I.e., within the member states of the European Union and all other states parties to the agreement governing the European Economic area (EEA), your IP address information will be shorten by Google beforehand. Only in exceptional cases would the complete IP address be transmitted and stored on a server of Google in the USA and shortened there.


The IP address transmitted from your browser will not be combined with other data from Google. You may refuse the use of cookies by selecting the appropriate settings on your browser; you can also prevent the collection of the information that the cookie generates about your use of this website being transmitted to Google as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.


Additional information on the data usage by Google, potential settings and refusals can be found in Google’s Privacy Policy (https://policies.google.com/technologies/ads?hl=en) as well as in the settings for the display of ads by Google (https://adssettings.google.com/authenticated).


Personal data of the users will be erased or anonymised after 14 months.


Online presences in social media

We maintain online presences in social media and platforms to be able communicating with our customers and clients, interested persons and users active there, and informing them there about our services. When accessing the relevant networks and platforms the general terms and conditions and privacy policies of their respective operators apply.


Except to the extent otherwise stated herein we process data of users communicating with us within these social networks and platforms, e.g. posting contributions or sending us messages on our online presences.


Embedding services and content of third parties

Based on our legitimate interests (i.e., interests in the analysis, optimization and economic operation of our online offering pursuant to Art. 6 para. 1 point (f) GDPR) our online offering uses service and content offerings of third party providers in order to embed their services and contents such as videos or fonts (hereinafter collectively “Contents”).


This always requires that the third party providers of such Contents notice the users’ IP addresses, as they would not be able sending these Contents to the users’ browsers without such IP addresses. The IP address is thus necessary to display these Contents. We endeavour embedding only such Contents the providers of which use the IP address only for delivering these Contents. Moreover, third party providers may use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. These pixel tags allow for the analysis of information such as the user traffic on the pages of this website. Furthermore, this pseudonymous information may be stored in cookies on your end device, may contain, among others, technical information on your browser and operation system, referring websites, access times and additional information on the use of our online offering, and may be combined with such information from other sources.


Adobe typekit fonts

Based on our legitimate interests (i.e., our interests in the analysis, optimization and economic operation of our online offering pursuant to Art. 6 para. 1 point (f) GDPR) we use external “typekit” fonts of the provider Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the Privacy Shield treaty and thus guarantees compliance with the European data protection rules (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).


Compiled with Datenschutz-Generator.de of Dr. Thomas Schwenke, counselor-at-law.


    Please wait