I. General information about data protection
1. Data protection
Thank you for your interest and for visiting our website. DASTANI CONSULTING GmbH, the website provider, takes the protection of your personal data very seriously. We treat your personal data as confidential and in accordance with statutory data protection regulations.
DASTANI CONSULTING GmbH, as the data controller, has implemented numerous technical and organisational measures to ensure the most comprehensive possible protection of personal data that is processed via this website. However, please be aware that transferring data via the internet (for example when communicating via e-mail) may not be secure. It is therefore not possible to protect data without exception from third party access.
2. Data controller
The data controller pursuant to GDPR and other applicable national data protection laws and regulations is:
DASTANI CONSULTING GmbH
Im Westpark 8
35435 Wettenberg (bei Gießen)
Tel.: + 49 (0)641 984 46 – 0
Fax: + 49 (0)641 984 46 – 29
Managing Director: Dr. Parsis Dastani
3. Data protection officer
The data controller’s data protection officer is:
Alkemade IT-Security e.K.
Egerländer Str. 9
Tel.: +49 6002 939593
II. General information about data processing
1. Scope of personal data processing
We only process the personal data of visitors to our website to the extent necessary to provide the website functions, content and services.
2. Legal bases for the processing of personal data
If personal data is processed with the data subject’s consent, the legal basis is Article 6 (1) a GDPR.
If it is necessary to process personal data for the purpose of executing a contract with the data subject, the legal basis is Article 6 (1) b GDPR. This also applies to personal data which is processed to take steps prior to entering into a contract.
If the personal data is processed to comply with a legal obligation on the part of the data controller, the legal basis is Article 6 (1) c GDPR.
If processing is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Article 6 (1) d GDPR.
If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis is Article 6 (1) f GDPR.
3. Data erasure and duration of storage
The data subject’s personal data are erased or the processing is restricted when the purposes of processing no longer apply. Personal data may also be processed if this is necessary for the data controller to comply with European or national statutory requirements under EU directives, laws or other regulations. Data processing is restricted or the data is erased if a mandatory statutory retention period expires unless it is necessary to continue storing the data in order to enter into or execute a contract.
III. Provision of the website and creation of log files
Collection of general information
Each time you access this website we or the web space provider automatically collect(s) information in the form of server log files. These log files are general in nature and cannot be traced back to any specific individual.
The data we collect includes: name of the website, file, date, data volume, web browser and web browser version, operating system, your internet provider’s domain name, referrer URL (the website that you accessed our website from) and IP address.
Without this data it would be technically impossible to deliver or display website content. The collection of the data is therefore absolutely essential. We also use the anonymous information for statistical purposes. It helps us to optimise the website experience and the website technology. We reserve the right to check log files if we suspect that somebody is unlawfully using our website.
1. Description and scope of data processing
Each time you visit our website our system automatically collects data and information from your computer.
The following data (server log files) are automatically transferred by your browser and collected by us:
• Browser type (version used, language settings etc.)
• User’s operating system
• User’s IP address
• Date and time of access
• Referrer URL (website, search engine or link via which our website is accessed)
• URL of the website accessed by the user from our website
• Status information (e.g. error messages)
• Volume of data transmitted
The data are also stored in the log files in our system. They are not combined with other personal data concerning the user.
We reserve the right to subsequently check these data, or to have them checked, if there are concrete indications of unlawful use.
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 (1) f GDPR.
3. Purpose of data processing
Temporary storage of the IP address by the system is necessary to display website content on your terminal. The IP address of the user (visitor) is therefore stored for this purpose for the duration of the session. Log files are stored to optimise the website experience and to ensure the security of our information systems. No data is analysed for marketing purposes in this connection.
It is also in our legitimate interest to process this data pursuant to Article 6 (1) f GDPR.
4. Duration of storage
The data are erased when they are no longer necessary for the purposes for which they were collected. Data collected to enable the user to use the website are erased at the end of the session.
Data stored in log files are erased after seven days at the latest. It is possible to store them for longer (e.g. for security reasons, to clarify acts of abuse or fraud, or for evidentiary purposes). In this case the user’s IP address is erased or alienated to prevent identification of the originating client.
5. Right to object and opt out
The collection of the data and the storage of the data in log files is necessary to operate the website. The user therefore has no right to object.
1. Description and scope of data processing
The following data is stored and transferred in cookies:
• Language settings
• Login information
2. Purpose of data processing
Cookies are technically necessary and we use them to simplify the user experience on our website. Some website functions cannot be provided without cookies. These are functions that need to recognise your browser when you go from one web page to another.
• Apply language settings
• Remember search terms
Data collected with technically necessary cookies are not used for profiling purposes.
3. Legal basis for data processing
It is also in our legitimate interest to process this personal data pursuant to Article 6 (1) f GDPR.
4. Duration of storage, right to object and opt out
You cannot disable Flash cookies by changing your browser settings. To do that you have to change the settings in your Flash Player.
V. E-mail contact
1. Description and scope of data processing
You can contact us at the e-mail address provided on our website. In that case the personal data contained in your e-mail will be stored.
No data will be transferred to third parties in this connection. The data are exclusively used for the purpose of our correspondence with you.
2. Legal basis for data processing
The legal basis for processing the data is the user’s consent pursuant to Article 6 (1) a GDPR.
Where processing e-mail data is concerned, Article 6 (1) f GDPR. If the purpose of the e-mail contact is to conclude a contract, the data is also processed on the legal basis of Article 6 (1) b GDPR.
3. Purpose of data processing
If we are contacted by e-mail it is in our legitimate interest to process the data in order to respond to the sender.
4. Duration of storage
The data are erased when they are no longer necessary for the purposes for which they were collected. When personal data is sent to us in an e-mail, the data is erased when the correspondence with the user ends. The correspondence is deemed to have ended when circumstances indicate that the matter concerned has been conclusively clarified or resolved.
The personal data which is additionally collected during the sending process is erased after seven days at the latest.
5. Right to object and opt out
Users can revoke their consent to the processing of personal data concerning them at any time. Users who contact us by e-mail can object to the storage of their personal data at any time. In that case the correspondence with the user is terminated.
Declarations of revocation of consent, requests for changes, rectifications and updates to data can be sent to DASTANI CONSULTING GmbH in writing, by fax or by e-mail.
In this case, all personal data stored in connection with the contact will be erased.
VI. Data subject rights
When personal data concerning you is processed you have the following rights as the data subject pursuant to GDPR.
1. Right to information
You can request confirmation from the data controller of whether personal data concerning you are being processed by us.
If personal data concerning you is being processed, you can request the following information from the controller:
• the purposes for which the personal data are being processed;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data has been or will be disclosed;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to obtain from the controller rectification or erasure of personal data concerning you, the right to restriction of processing by the controller or the right to object to processing;
• the right to lodge a complaint with a supervisory authority;
• all available information about the origin of the data if the personal data were not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information about whether the personal data concerning you is transferred to a third country or an international organisation. In this connection you can obtain appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer of personal data.
2. Right to rectification
You have the right to obtain the rectification of personal data or the supplementation of incomplete personal data concerning you from the data controller. The data controller will comply without undue delay.
3. Right to restriction of processing
When one of the following applies you have the right to obtain from the controller restriction of processing:
• If you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
• If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• If the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims or;
• If you have objected to processing pursuant to Article 21(1) pending the verification of whether the legitimate grounds of the controller override your grounds.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the above the data controller will inform you before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase personal data
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• You withdraw your consent on which the processing is based according to Article 6 (1) a, or Article 9 (2) a GDPR, and where there is no other legal ground for the processing.
• You object to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR.
• The personal data concerning you have been unlawfully processed.
• The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
b) Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to obtain erasure does not apply if the processing is necessary
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Article 9 (2) h and i as well as Article 9 (3) GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defence of legal claims.
5. Notification obligation
If you have exercised your right of any rectification or erasure of personal data or restriction of processing vis-a-vis the controller, the controller is required to communicate any rectification, erasure or restriction of processing of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to obtain information from the controller about such recipients.
6. Right to data portability
You have the right to receive your personal data which you have provided to a controller in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data had been provided, where
• the processing is based on consent pursuant to Article 6 (1) a GDPR or Article 9 (2) a GDPR or on a contract pursuant to Article 6 (1) b GDPR; and
• the processing is carried out by automated means.
In exercising this right to data portability you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right at any time to object, on grounds relating to your particular situation, to processing of personal data concerning you on the basis of Article 6 (1) e or f GDPR; this also applies to profiling based on those provisions.
The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data for such marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 202/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to revoke consent
You have the right to revoke your consent to the processing of your personal data. This does not affect the lawfulness of processing up to the time of revocation.
9. Automated, individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
• is necessary for entering into, or performance of, a contract between you and a data controller,
• is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.
These decisions may not be based on special categories of personal data referred to in Article 9 (1) unless point a or g of Article 9 (2) applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
If the decision is not based on statutory provisions, the data controller implements suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express an own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Unless an administrative or judicial remedy provides otherwise, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State you live or work in, or at the place of the suspected contravention, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority where the complaint is lodged informs the complainant about the status and outcome of the complaint process, including the right to an effective judicial remedy pursuant to Article 78 GDPR.
The competent supervisory authority is:
The Commissioner for Data Protection and Freedom of Information in Hesse
Professor Michael Ronellenfitsch
VII. Transfers of personal data and collaboration with third parties
1. Collaboration with processors and third parties
If we disclose, transfer or grant access to your personal data to other persons and companies (processors or third parties), (e.g. transfer of data to a third party such as a payment services provider pursuant to Article 6 (1) b GDPR for the purpose of contractual performance), this is always on the basis of a legal premise such as your consent, a statutory obligation or in our legitimate interest (e.g. when we use agents, web hosting service providers etc.).
When we engage processors to process data the data is always processed on the basis of Article 28 GDPR.
2. Transfers to third countries
If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) for processing or to use third party services or if we disclose or transfer data to third parties, we do so because it is necessary to fulfil our (pre-)contractual obligations, to meet a legal obligation, because you have provided your consent or because it is in our legitimate interest to process the data. Subject to statutory or contractual permissions, we only process data or have data processed in a third country if the special requirements of Article 44 et seq. GDPR are met. Therefore, the data are only processed on the basis of special guarantees such as an official EU assessment of the adequacy of the level of data protection offered (e.g. “Privacy Shield” for the USA) or compliance with officially recognised special contractual obligations (so-called “standard contractual provisions”.
3. Incorporation of third party services and content
It is in our legitimate interest (i.e. in the interest of the analysis, optimisation and efficient operation of our website pursuant to Article 6 (1) f GDPR) to integrate third party content or services such as videos or fonts into our website (referred to in the following as “content”).
This is only possible with the third-party content provider’s knowledge of the user’s IP address, because without the IP address it would not be possible to send the content to the user’s browser. Without the IP address this content cannot be displayed. Whenever possible, we ensure that third-party content providers use only the IP address to provide the content. Some third-party content providers also use pixel tags (small blocks of code, also called web beacons) for statistical or marketing purposes. The pixel tags can evaluate information such as visitor traffic on our web pages. Other pseudonymous data can be stored in cookies on the user’s terminal and provide information about the user’s browser and operating system, referrer URLs, length of visit and other information about the use of our website and combine it with information from other sources.
We use hosting services to provide you with the following: infrastructure and platform services, processing capacity, storage space and database services, security services and technical maintenance services associated with the operation of this website.
We or our hosting services providers process inventory data, contact data, content data, contract data, usage data, meta data and communication data concerning customers, potential customers and visitors to this website. It is in our legitimate interest to process the data in order to provide an efficient and secure website pursuant to Article 6 (1) f GDPR in conjunction with Article 28 GDPR (conclusion of a contract with a processor).
5. Third party websites and data privacy
This website may contain links to third party websites. If you use one of the links to access a third-party website, please remember that we accept no responsibility or liability for third- party content or privacy policies. Please read the third-party providers’ privacy policies before transferring personal data to these websites. The operators of such linked websites are exclusively responsible for their content. When we programmed the links there was no indication that the content of the website accessed via the link failed to meet legal requirements or transgressed standards of public decency. Please inform us immediately if you access a third-party website via a link on our website which does not meet legal requirements or transgresses standards of public decency. The licence terms and term of use of the respective website operators apply.
VIII. Website analytics services
1. Google Analytics
This website uses Google Analytics functions. The service provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The legal basis for the use of Google Analytics is Article 6 (1) f GDPR.
Alternatively to the browser add-on, or if you are using a mobile device browser, click the following link to set an opt-out cookie that will prevent Google Analytics from collecting data about you on this website in future. If you erase your cookies you will have to click on the link again.
IX. Google and Microsoft services
1. Google Maps
We integrate “Google Maps” which are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in our website to display location information in geographic map format. When the Google Maps service is used, Google processes data on the use of map functions by website visitors. Google will also make this information available to third parties when this is legally prescribed, or in cases where third parties process this data on behalf of Google. Under no circumstances will Google associate your IP address with other Google data. However, it is still technically feasible for Google to identify individual users on the basis of the data that is processed. It is possible that personal data and profiles of website users will be processed by Google for other purposes. We are not able to influence this. You can find further information about the data processed by Google at https://www.google.com/policies/privacy/, and you can opt out at https://adssettings.google.com/. Users can change their settings to manage the security and privacy of their personal data in the Google “Account Help” section (https://support.google.com/accounts/answer/3024190).
By using this website you consent to the collection, processing and use of automatically collected data by Google Inc., its representatives and third parties.
2. Google AdWords
This website uses the online advertising programme Google AdWords and the associated Conversion Tracking tool. Google AdWords sets a cookie on your computer if you access our website via a Google advertisement. AdWords cookies expire after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not expired, we and Google can see that the user clicked on the ad and was redirected to this website. Every Google AdWords customer gets a different cookie, so cookies can’t be tracked via AdWords customer websites.
The information obtained with the conversion cookie is used to prepare conversion statistics for AdWords customers who have opted for conversion tracking. The AdWords customers get information about the total number of users who have clicked on their ad and were redirected to a website with a conversion tracking tag. However, they do not receive any information which could be used to personally identify the users.
X. Use of Social Media plugins
1. Facebook plugins
We have integrated Facebook social network plugins into our website. The plugin provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. The Facebook plugins on our website are identified by the Facebook logo or the “Like” button. You can find an overview of Facebook plugins here: http://developers.facebook.com/docs/plugins/.
When you visit our website, the plugin establishes a direct connection between your browser and the Facebook server. Facebook receives the information that you have accessed our website from your IP address. If you click the “Like” button while logged in to your Facebook account, our website content will be linked to your Facebook profile. Facebook can then assign your visit to our website to your user account. We would like to point out that, as website provider, we have no awareness of the data which is transmitted or its use by Facebook.
If you don’t want your visit to our website to be linked to your Facebook account, please log out of Facebook before you visit our website.
2. Twitter plugins
Our website incorporates Twitter functions. They are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter as well as the “Re-Tweet” function, websites visited by you are linked to your Twitter account and posted to other users. In this process, data is transferred to Twitter.
Via the Twitter components, Twitter receives the information that the data subject has visited our website, the time of the visit. If the data subject is logged into Twitter while visiting our website, this information is transferred to Twitter whether or not the data subject clicks on the Twitter components. If you don’t want this information to be transferred to Twitter, log out of your Twitter account before visiting our website.
3. Legal basis for the processing of personal data with social media plugins
The legal basis for the processing of data with the consent of the data subject is Article 6 (1) a GDPR. Otherwise the legal basis is Article 6 (1) f GDPR.
4. Purpose of data processing
The processing of data with social media plugins allows us to link our website to platforms such as Facebook, Twitter and Google Plus (for access to social marketing channels) and, as a result, generate new website traffic. It is also in our legitimate interest to process the data when social media plugins are used.
5. Duration of storage
The data are erased when they are no longer required for the purposes for which they were collected.
6. Right to object and opt out
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you on the basis of Article 6 (1) a GDPR.
XI. SSL encryption
This website uses SSL encryption for reasons relating to security and data transmission protection, for example when you send us enquiries. You can identify a secure website by the URL in the browser changing form “http://“ to “https://“ and by the padlock symbol in your browser.
When SSL encryption is enabled, third parties cannot intercept and read the data you send to us.
XII. Other information
1. Personal data concerning children and adolescents
Persons under the age of 14 should not send personal data to us without the consent of a parent or guardian. We never request, collect or transfer personal data from children or adolescents to third parties unless we have the explicit consent of a parent or guardian. If the website user is under the age of 16 and the personal data is processed with consent, that consent must be provided by the user’s parent or guardian or by the user with the parent or guardian’s consent.
2. Objection to marketing e-mails
We prohibit use of the data published in the mandatory legal notice and transmissions of unsolicited advertising and information materials. The website operator expressly reserves the right to take legal action in the event that unsolicited advertising information, such as spam mails, is received.