We are delighted about your interest in our services and take your privacy very seriously. This data protection policy sets out and explains the nature, scope and purpose of the processing of personal data (“data”) through the services and presence of  C2SP and the related websites (e.g., www.connect2smallports.eu or social/info network websites), features, content, business processes and external offline and online services (all of which are referred to herein as “service(s)”). With regard to the legal terms used, reference should be made, in particular, to the definitions in Art. 4 of the GDPR (General Data Protection Regulation).

Responsible

Hochschule Wismar, University of Applied Sciences:
Technology, Business and Design

European Project Center

Philipp-Müller-Str. 14, 23966, Wismar, Germany

Contacts:
Dr. Laima Gerlitz, laima.gerlitz@hs-wismar.de
+49 3841 753 7297

Christopher Meyer, christopher.meyer@hs-wismar.de

(hereinafter “C2SP ” or “we” or “us”)

Categories of affected persons (data subjects)

Users, visitors, interested parties, clients and business partners of C2SP services (hereinafter all categories are referred to as “users”)

Categories of processed data

Inventory data (e.g., name, postal address), contact details (e.g., email address, telephone number), content data (e.g., submitted or transmitted texts, photographs, videos or other content), usage data (e.g., visited websites, content-related interests, time and duration of access), metadata and communication data (e.g., information about accessing devices, type of browser, IP addresses),
as well as business-related processing
contract data (e.g., commencement of contract, duration, subject matter of the contract, preferred means of communication), payment details (bank details, currency, payment history)

Purposes of data processing

– Provision, maintenance and optimisation of the services including their functions and content
– Answering contact and support requests and communicating with users
– Security and integrity
– Marketing and determination of reach
– Additional business-related contract fulfilment, provision of services, customer care as well as marketing, advertising and market research

Legal bases and terms

In accordance with the requirements of Art. 13 GDPR, we are informing you of the legal bases of our data processing. If the legal basis is not mentioned in this data protection policy, the following applies:
As far as permissible, C2SP uses the data processing of cookies and so-called tracking (analysis of visitor behaviour, measurement of reach, among other things) with regard to the users, in return for the services we provide free of charge, including support.
The legal basis for obtaining consent is Art. 6 (1)(a) and Art. 7 GDPR, the legal basis for the processing of data for the performance of our services and the execution of contractual measures as well as the response to inquiries is Art. 6 (1)(b) GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, such as in cases of inquiries about our services or the utilisation of the test phases. The legal basis for processing in order to comply with our legal obligations is Art. 6 (1)(c) GDPR, the legal basis for processing in order to protect our legitimate interests is Art. 6 (1)(f) GDPR. Art. 6 (1)(d) GDPR serves as the legal basis in the case of essential interests of the affected person or of another natural person as a necessity for the processing of personal data.
– Responsible
is the natural or juridical person, authority, agency or other body that, alone or together with others, decides on the purposes and means of processing personal data
– Third-party
is a natural or juridical person, authority, agency or body other than the affected person, the responsible person, the order processor and the persons authorised under the direct responsibility of the responsible person or the order processor, to process the personal data
– Personal data
refers to all information that is about an identified or identifiable natural person (hereinafter “the affected person”); a natural person is considered to be identifiable, directly or indirectly, particularly through association with an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie) or one or more special features, which can identify the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person
– Processing
is any process or series of operations related to personal data carried out with or without the assistance of automated processes; this term is extensive and includes practically every manner of handling data
– Profiling
refers to all kinds of automated processing of personal data which consists of using that personal data to evaluate certain personal aspects about a natural person, in particular to analyse or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or location of this natural person
– Pseudonymisation
refers to the processing of personal data in such a manner that personal data can no longer be ascribed to a specific data subject (affected person) without the need for additional information, provided that such additional information is kept separate and subject to technical and organisational measures, which ensure that the personal data cannot be ascribed to an identified or identifiable natural person
– Order processor
is a natural or juridical person, authority, agency or other body that processes personal data on behalf of the responsible person
– Consent
refers to a voluntary statement from the affected person, in an informed and unequivocal manner, in the form of a declaration or other unambiguous confirmatory act expressing that this person agrees to the processing of the personal data concerning him/her

Affected persons (data subjects) have the right…

… to revoke their consent according to Art. 7 (3) GDPR with effect in the future (right of revocation).
… to contradict to future processing of the data concerning them according to Art. 21 GDPR at any time (right of contradiction). The objection can particularly be made against processing for direct marketing purposes.
… to request a confirmation as to whether relevant data is being processed and to information about this data, as well as to further information and a copy of the data in accordance with Art. 15 GDPR.
… to demand the completion of the data concerning them or the correction of the incorrect data, in accordance with Art. 16 GDPR.
… to demand that relevant data be deleted immediately according to Art. 17 GDPR or, alternatively, according to Art. 18 GDPR, to demand limitation of the data being processed.
… to demand that the data about you, which you provided to us, be obtained in accordance with Art. 20 GDPR and to request the transmission thereof to other responsible persons.
…, to make a complaint with the responsible supervisory authority pursuant to Art. 77 GDPR. The responsible supervisory authority in matters of data protection law is the state data protection officer of the federal state in which C2SP has its headquarter. A list of data protection officers and their contact details can be found under the following link:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Duration of storage, deletion of data

The data processed by us is deleted or limited in accordance with Art. 17 and Art. 18 GDPR. Unless expressly stated in this data protection policy, the data stored by us is deleted as soon as it is no longer necessary for its purpose and the deletion does not conflict with any statutory storage requirements. If the data is not deleted because it is required for other legitimate purposes, the processing thereof is limited. In these cases, the data is blocked and not processed for other purposes. This is the case, for example, with data that must be kept in order to comply with commercial, tax or real estate law.

Cooperation with externals and transfer/transmission to third countries

If we disclose data to external persons or companies (order processors or third parties), transmit data to third parties or otherwise grant others access to the data, then only on the basis of juridical consent (e.g., transmission of data to a payment service provider in accordance with Art. 6 (1)(b) GDPR for fulfilment of the contract), if the affected person has given his/her consent, if there is a legal obligation to do so or if it is based on our legitimate interests or of the external. The processing of data by third parties through our order based on a so-called processing contract takes place in accordance with Art. 28 GDPR.
If we process data outside of the European Union (EU) or the European Economic Area (EEA), or if we utilise third-party services or disclosure or transmit data to third parties, this will only be done if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or if it is justified based on our legitimate interests. Subject to legal or contractual permission, we only process or have the data processed in a third country if the special conditions of Art. 44 et seqq. GDPR are complied with. Specifically, processing takes place, for example, based on specific guarantees, such as the officially recognised level of data protection (implemented for the USA by the “Privacy Shield”) or the compliance with officially recognised special contractual obligations (“standard contractual clauses”).

Data processing regarding contractual relationships

CTCC enters into a manifold of contractual relationships and pre-contractual relationships. These include contractual relationships with contractual partners such as customers and ordering parties, but also with interested parties and other users (collectively “contractual partners”). We process the data of our contractual partners in accordance with Art. 6 (1)(b) GDPR in order to fulfil our contractual or pre-contractual services. The processed data itself, the nature, the scope, the purpose and the necessity of its processing are determined by the underlying contractual relationship.
The processed data includes the master data of the contractual partner (a.o. name, address), contact details (a.o. address, email address, telephone number), as well as contract data (a.o. services utilised, content of the contract, contractual communication, name of a contact person) and payment data (bank details, payment history, etc.,). In principle, we do not process any special categories of personal data, except when these are part of contracted or contractual processing.
We process data required for the establishment and fulfilment of the contractual services. We hereby point out the necessity of the indication, insofar as this is not obvious to the contractual partner. Disclosure to external persons or companies will only take place if this is necessary to fulfil the contract or service. When processing the data provided to us through an order, we act in accordance with the instructions of the client and the legal requirements.
When utilising our services, we can store the IP address and the time of the respective action of the user. The storage takes place based on our legitimate interests as well as the interests of the users with regard to protection against misuse and other unauthorised use. In principle, this data will not be disclosed to third parties unless this is necessary in order to pursue our claims pursuant to Art. 6 (1)(f) GDPR, or there is a legal obligation pursuant to Art. 6 (1)(c) GDPR. The data will be deleted if it is no longer required to fulfil contractual or statutory duties of care and any warranty, consumer protection or similar obligations. For this purpose, the necessity of keeping the data is reviewed every three years. Furthermore, legal storage obligations apply.

Data processing for processes and procedures typical for businesses

On the one hand, we process data in operational and corporate administration tasks, in the organisation of our operational and economic processes, in accounting and in the fulfilment of our legal obligations. Thereby, the same data is processed as in the provision of our contractual services. This all takes place in accordance with Art. 6 (1)(c) GDPR and Art. 6 (1)(f) GDPR. This concerns clients, interested parties, business partners and visitors of our websites. The purpose and interest in processing lies in the administration, financial accounting, office organisation and archiving of data in the maintenance of our business, fulfilment of our duties and provision of our services.
The deletion of data relating to contractual services and contractual communication is in accordance with the information provided in these processing operations. We disclose or transmit data to the financial administration, consultants (e.g., tax consultants, auditors), as well as fee/tax authorities and payment service providers. On the other hand, we store information on contractual partners based on our business interests in order to ensure, for example, communication and cooperation. We regularly store this company-related data permanently.

Hosting, log files, email dispatch

The hosting services we utilise are necessary to provide the following services: infrastructure and application services, computing and storage capacity, database services, email dispatch, as well as security and technical maintenance services, which we implement to operate our services.
Hereby, we, or if applicable, our hosting providers, process inventory data, contact details, content data, contract data, usage data, meta and communication data of clients, interested parties and visitors of our service on the basis of our legitimate interests in the efficient and secure provision of our services in accordance with Art. 6 (1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of processing contract). Our website is hosted by Amazon Web Service (AWS).
For the possible processing of data in this context, there is a corresponding order processing contract to ensure data protection. We or our hosting provider, collect(s) data on the basis of legitimate interests in line with Art. 6 (1)(f) GDPR about every access to the server, on which this service is located (so-called server log files). Access data includes the name of the visited website, file, date and time of visit, amount of data transferred, information about successful retrieval, browser type and version, user’s operating system, referrer URL (previously visited page), IP address and the requested provider. Further basis for data processing in the corresponding case is Art. 6 (1)(b) GDPR, which allows the processing of data to fulfil contractual or pre-contractual measures. Log file information is used for security reasons, such as, for example, to investigation misuse or fraud, and is stored for a maximum of 7 days and deleted thereafter. Data, of which further retention is required for evidential purposes, shall be exempted from deletion until final clarification of the event.

Registration function, verification

Users have the possibility to create an account. Upon registration, the required mandatory information is communicated to users and processed based on Art. 6 (1)(b) GDPR for purposes of providing the account or to provide the service itself. The processed data includes, in particular, the login information (email address, password, country). This data, as well as other data entered during or after registration, will be used for the purpose of providing the account and the use of related services. A legally required verification requires the collection and proof of name, address, date of birth and in the case of legal entities beyond that.
The users can be informed by email about information that is related to their account or the booked service (e.g., technical changes, news). As soon as users have cancelled their account, or the term has expired, their data concerning the account will be deleted, subject to legal storage obligations or our legitimate interests. It is the users’ responsibility to back up their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the contract duration.
When using our registration and login functions, as well as the account usage and verification, we store the IP address and the time of the corresponding action of the user. This storage is based on our legitimate interests and on the interest of the user’s protection against misuse and other unauthorised use. Disclosure of this data to third parties does generally not take place unless it is necessary to pursue our claims or there is a legal obligation in accordance with Art. 6 (1)(c) GDPR. IP addresses are anonymised or deleted after 7 days at the latest.

Establishing contact

When contacting us (e.g., by contact form, email, telephone or on social networks), the user’s information is processed for the purpose of processing the request in accordance with Art. 6 (1)(b) GDPR (pre-contractual and contractual relationships) and Art. 6 (1)(f) GDPR (other inquires). User information can be stored in a Customer Relationship Management (CRM) system or a similar organisational system to optimise contact. We delete the contact inquiries, if it is no longer necessary to keep them. We check the necessity every two years. In all other cases, juridical archiving obligations apply.

Newsletter

What follows is the explanation of the content of our regular (approximately weekly) newsletter, as well as the registration, sending and statistical evaluation procedure, as well as the right of objection. By subscribing to our newsletter, you consent to the receipt and the procedures described.
Content of the newsletter:
We only send newsletters, emails and other electronic notifications with advertising information (hereinafter “newsletter”) with the consent of the recipient or legal permission. Insofar as the contents of a newsletter are concretely outlined, they are essential for the consent of the users. In addition, our newsletters contain information about our services and our company itself.
Double opt-in and logging:
Registration for our newsletter is made using the double-opt-in method. After registration, an email is sent asking for confirmation of the registration. This confirmation is necessary so that nobody can register with strange email addresses. The registration for the newsletter will be logged in order to prove the registration process in line with legal requirements. This includes storing the login and confirmation times and the IP address. Likewise, changes to your data stored with the mailing provider will be logged.
Registration data:
To register for the newsletter, it is sufficient to enter your own correct email address. We sometimes also ask for the name, so that it is possible to personally address the individual or in connection with a further contact request.
Performance measurement:
The dispatch of the newsletter and the associated performance measurement are based on the consent of the recipients in accordance with Art. 6 (1)(a) and Art. 7 GDPR in conjunction with § 7 (2)(3) UC. Otherwise, if consent is not required, based on our legitimate interests in direct marketing pursuant to Art. 6 (1)(f) GDPR in connection with § 7 (3) UC.
Logging:
Logging of the application is based on our legitimate interests in line with Art. 6 (1)(f) GDPR. Our interest lies in the application of a user-friendly and secure newsletter process that serves our business interests and meets the expectations of our users. In addition, proof of consent should be possible for us.
Termination or revocation (cancellation, deregistration):
You can cancel the receipt of our newsletter at any time, in other words, revoke your consent. An unsubscribe link to cancel the newsletter can be found at the end of every newsletter. Alternatively, a corresponding message to the contact person specified in our imprint is sufficient. We can save the email addresses for up to three years based on our legitimate interests before we delete them, in order to be able to prove prior consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual request for cancellation is possible at any time, if prior existence of consent is confirmed at the same time.

Performance measurement of newsletters

The newsletters contain a so-called Web-Beacon. This is a pixel-sized file which is retrieved by our server when you open the newsletter or from the server of a mail service provider. Upon retrieval, technical information, for example information about the browser and the computer system, as well as your IP address and the time of retrieval are collected. This information is used for the technical improvement of the services based on the technical data, the target groups and their reading behaviour, which is based on the location that the information is retrieved (can be determined with the help of the IP address) or the access times. Statistical surveys also include determining if the newsletter were opened, when they were opened, and which links were clicked on. Although this information can be technically ascribed to the individual recipients, there is no intention on our part or the mail service providers to monitor individual recipients. Instead, the evaluations serve to identify the reading habits of the recipients and to adapt our content to suit these habits or to send different content according to the interests of the recipients. A separate revocation of the performance measurement is not possible. In order to do this, the newsletter itself would have to be cancelled.

Cookies, right to contradict to direct advertising

A cookie is a small file that is stored on a user’s computer. Different information can be stored within the cookie. A cookie is primarily used to store information about a user or the device during and after the user’s visit to an online service. A temporary cookie, session cookie, or transient cookie is a cookie that is deleted after a user leaves an online service and closes the browser. In a cookie of this nature, the login status or subscription status can be stored. A cookie is referred to as permanent or persistent when it remains in storage even after the browser has been closed. This allows, for example, the login status to be saved when users return to the online service after a few days. Likewise, such cookies may store the interests of the users, which is used to establish the reach or for marketing purposes. Third party cookies are cookies that are offered by providers other than the provider responsible for running the online service. With a cookie set by the responsible provider, one refers to it as a first-party cookie. C2SP can use temporary and permanent cookies and explains this in this data protection policy. If users do not want cookies to be stored on their computers, they can use the appropriate option in the system settings of the browser to disable this process. Saved cookies can be deleted in the system settings of the respective browser. The exclusion of cookies can lead to functional limitations of this service.
A general objection to the use of cookies used for the purpose of online marketing can be declared in a variety of services, especially in the case of tracking through cookies, via the US-American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be deactivated by switching off this function in the settings of the browser. It should be noted that not all features of this service can then be used.

Google Analytics

Based on our legitimate interests (interest in the analysis, optimisation and economic operation of our services in line with Art. 6 (1)(f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online service by users is regularly transmitted to Google’s servers in the US and stored there.
Google Analytics is certified under the Privacy Shield Agreement, providing a guarantee of compliance with European data protection law ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).
Google uses information on our behalf to evaluate the use of our services by users, to compile reports on the activities within the services, and to provide us with other services related to the use of our services and internet usage. Thereby, pseudonymous usage profiles of the users can be created from the processed data.
We only use Google Analytics with activated IP anonymisation. The IP addresses of Google users will be shortened within member states of the European Union or other parties of the Agreement in the European Economic Area. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there. The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies through the respective setting on their browser. In addition, users can prevent the collection of data generated by the cookie and related to their use of our service, and the processing of this data by Google, by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de .
For more information about Google’s data usage, settings and objection options, please refer to Google’s data protection policy ( https://policies.google.com/technologies/ads ) as well as the settings for advertising by Google ( https://adssettings.google.com/authenticated ).
The personal data of users will be deleted or anonymised after 14 months.