Data protection declaration

Who is responsible for the data processing?

DBFZ Deutsches Biomasseforschungszentrum gemeinnützige GmbH
Torgauer Str. 116
D - 04347 Leipzig
Telephone: +49 (0)341 2434-112
Email: info@dbfz.de

Management: Prof. Dr. mont. Michael Nelles (sc.); Dr. Christoph Krukenkamp (admin.)

Chair of the Supervisory Board: Olaf Schäfer

How do I contact the data protection officer?

Dr. Knut Karnapp, attorney-at-law

PETERSEN HARDRAHT PRUGGMAYER Rechtsanwälte Steuerberater Unternehmensberater Partnerschaft mbB
Markt 4, 09111 Chemnitz
Telephone: +49 (0) 371 66645960
Email: datenschutz@dbfz.de

What are my rights as a data subject?

You have the right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR) and right to data portability (Art. 20 GDPR) provided that the respective legal requirements are met and no exceptions apply. Please note that you can exercise these rights at any time. However, legal requirements such as retention obligations may prevent us from fulfilling your request.

When we process personal data to protect our legitimate interests in accordance with Art. 6 (1)(f) GDPR, you have a general right to object. Should you object, we will stop processing if there are specific reasons arising from your particular circumstances and we have no overriding interest in processing the data.

If we require your consent to process your personal data, we will ask you for your express consent in advance. Your consent can be revoked at any time with future effect. However, this does not affect any data processing that has occurred up to that point. Consent can be revoked by sending an email to datenschutz@dbfz.de or by writing to DBFZ Deutsches Biomasseforschungszentrum gemeinnützige GmbH, Torgauer Str. 116, 04347 Leipzig, Germany.

You also have the right to lodge a complaint with the competent data protection authority at any time:

Federal Commissioner for Data Protection and Freedom of Information
Postfach 1468
53004 Bonn

Who are the potential data recipients?

Your data will be noted and used by the relevant employees at our company. Since the data are stored in our systems, it cannot be ruled out that they may also be noted by our IT service providers in the course of troubleshooting.

If, in the course of processing, we disclose data to other persons and companies (order processors or third parties), transfer data to them, or otherwise grant them access to the data, this shall only occur on the basis of legal authorisation (e.g. if the transfer of data to third parties is necessary for the performance of a contract in accordance with Art. 6 (1)(1b) GDPR), if you have given your consent, if a legal obligation requires it, or if it is based on our legitimate interests (e.g. when using authorised representatives, web hosting providers, tax consultants, economic and legal advisors, customer care services, accounting services, billing services etc. that enable us to efficiently and effectively fulfil our contractual obligations, administrative tasks and duties).

Will my data be transferred to third countries outside the European Union?

We do not transfer or process data to third countries (i.e. outside the European Union (EU) or the European Economic Area (EEA)). However, if, in exceptional cases, this is necessary to fulfil our obligations, the processing or disclosure and/or transfer of data to third parties will only occur if this is required to fulfil our (pre)contractual obligations, is done with your consent, fulfills a legal obligation, or is based on our legitimate interests. Subject to legal or contractual permissions, we only process or have data processed in a third country if the special requirements of Article 44 et seq. GDPR are met. This means that processing is conducted, for example, on the basis of special guarantees, for example, it has been officially determined that the level of data protection is equivalent to that of the EU (e.g. through an adequacy decision by the EU for the country concerned or if officially recognised EU standard contractual clauses have been agreed on with the recipient of the data, for example in the USA).

What determines how long my data are stored?

The duration of storage is primarily based on the statutory retention periods and our legitimate interest in continuing to store the data.

What happens when accessing our website?

When you browse our website, certain data are automatically collected and stored in server log files. In particular, usage data are processed, such as browser type/version, the type of operating system used, the referrer URL (the previously visited webpage), your device’s IP address and the time of the server request. This establishes and maintains the connection between your device and our website.

This processing is permissible based on our legitimate interest (Art. 6(1)(f) GDPR). We want to present the DBFZ and our research activities on our website and facilitate contact. Thus, interested parties, applicants and cooperation partners obtain a better understanding of our activities. The described data processing is required to access the website.

The data are automatically deleted or anonymised within 30 days at the latest.  

Why do we use cookies?

We use essential cookies to operate our website, implement certain functions, and meet telemedia requirements. This involves processing usage data (e.g. IP address).

The data processing that takes place in this context is permissible pursuant to Article 6(1)(f) GDPR (legitimate interest). We aim to improve user-friendliness, optimise the display (e.g. on mobile devices), prevent fraud, and safeguard security.

In addition, we must ensure that any data collection that requires consent only occurs when consent has actually been given. Therefore, certain technical settings must be logged. Essential cookies, such as session cookies, are automatically enabled and cannot be deactivated.

Session cookies are deleted once you leave the website.

Which data are processed when using the online contact forms or communicating by e-mail?

Various online contact forms can be used if you have questions or would like to contact us in general. Certain information is required by these forms, such as your name and email address, so that we can better assign and process your message. Alternatively, you can contact us in the regular way by email using your own email client (e.g. Outlook). We process the data you provide so that we can respond to your enquiry.

This processing is permissible based on our legitimate interest (Art. 6(1)(f) GDPR). As we would like to be able to receive and respond to your enquiries (e.g. regarding a research collaboration) regardless of place and time, we therefore offer you an electronic means of contacting us. We use the data you provide to respond to your enquiry. This provision of information is necessary for you to contact us.

Your message will be viewed and answered internally by the respective employees.

We store your enquiry for the duration of the exchange or beyond should a cooperation agreement be reached.

Can I subscribe to a newsletter?

Our website offers newsletters on various topics. You can subscribe to a newsletter using the respective online form. In order to send you the newsletter, we require your email address and surname. Other data, such as your first name, gender and, in the case of our events newsletter, your personal areas of interest pertaining to events and the desired language of the newsletter, are provided on a voluntary basis and are not essential for receiving a newsletter. However, it can be advantageous if you would like to receive newsletters on specific topics that correspond to your personal interests. In this case, traffic data such as your IP address and the date and time of registration are also processed.

The data will only be used to send you the newsletter. Data that are processed in connection with the distribution of a newsletter are not usually passed on to third parties. Certain event series (e.g. the Doctoral Colloquium BIOENERGY AND BIOBASED Products, or the expert discussion ‘Particle Separators in Domestic Furnaces’) are also organised by partner institutions. If you have signed up to receive these event emails, your data will be passed on to the respective partner institution if this is needed to organise and conduct the respective event.

By subscribing to the newsletter, you consent to your data being processed in accordance with Article 6(1)(a) GDPR.

The user’s email address is collected for the purpose of delivering the newsletter. The user’s name and email address are also collected for the purpose of providing information about our events and for targeted communication with the user. The collection of other personal data during the registration process serves to prevent misuse of the services or the email address used.

The data are deleted as soon as they are no longer required for the purpose for which they were collected. The aforementioned user data are therefore stored for as long as the newsletter subscription is active. The automatically collected data are deleted as soon as there is no longer any risk of misuse, usually after completion of the registration process. If you revoke your consent, they are deleted from the address database of the respective newsletter.

Providing your data for advertising purposes is done on a voluntary basis. A newsletter subscription can be cancelled by the user at any time. You can unsubscribe by sending a message to veranstaltungen@dbfz.de. This also allows you to revoke your consent to the storage of personal data collected during the registration process.

Is my website visit analysed?

We aim to improve our website and to take the interests of our users into consideration. Therefore, we use the free data analysis software Matomo Analytics in order to have adequate data to evaluate the server log files generated when someone accesses the website and subpages. This tool is integrated into our website and installed on the same server. Thus, no data are transferred to third parties for analysis. The programme stores the server log files and generates meaningful statistics for us. The collected data and the analysis based on it are automatically anonymised so that they cannot be linked to a person. These data are not merged with other data sources. No cookies are used.

Permissibility for the analysis is based on our legitimate interest (Art. 6(1)(f) GDPR).

We store the statistical analyses for an unlimited period of time. Due to the anonymisation of these data, it is no longer possible to link this to a person.

Online presence on social networks

In accordance with our legitimate interests pursuant to Article 6(1)(f) GDPR, we maintain an online presence on social networks and platforms so that we can communicate with customers, interested parties and active users on these platforms, and to inform them about our research. When accessing these networks and platforms, the terms and conditions and data processing guidelines of the respective providers shall apply.

Unless otherwise stated in our privacy policy, we process user data when users communicate with us through our social networks and platforms, e.g. by posting on our social media or messaging us.

Which data are processed when I watch YouTube videos on your website?

We utilise YouTube videos on our website. YouTube is a service provided by YouTube LLC (‘YouTube’), 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube LLC is a subsidiary of Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit our website, YouTube is notified that you have accessed the corresponding subpage of our website. In addition, further information about the use of the website (e.g. date and time of access, IP address, etc.) may be transmitted to Google’s servers (possibly in a third country such as the USA) and stored there. This occurs regardless of whether you are logged in to a user account provided by YouTube or have no user account.

When using YouTube, data are transferred to third countries. Data transfer to the USA is permissible without further authorisation on the basis of an adequacy decision by the EU Commission in accordance with Article 45(3) GDPR for data transfer to the USA, i.e. the EU-U.S. Data Privacy Framework. Google is certified under the Data Privacy Framework and is therefore committed to complying with European data protection principles. This also applies to all Google subsidiaries. More information about the Data Privacy Framework can be found here.

The provider has also stated (see ‘Legal Framework for Data Transfers”) that it has incorporated standard data protection clauses to ensure an adequate level of data protection.

The data are not used by Google to personalise your YouTube experience – neither in the embedded data privacy mode nor during subsequent use of YouTube since the videos are embedded in what is known as enhanced data privacy mode. Advertisements that appear in a video played in the embedded player’s enhanced data privacy mode are also not personalised. Furthermore, when a video is played in the embedded player’s enhanced data privacy mode, it is not used to personalise advertising shown to you outside our website.

We use YouTube to present you with videos on various topics related to DBFZ. Article 6(1)(a) GDPR provides the legal basis for the processing of your personal data. Before the video starts, you will be asked to give your consent to activate the YouTube plug-in. If you do not provide consent, the YouTube service will not be activated and your data will not be transmitted to Google. Your consent is provided on a voluntary basis.

If the processing of the data requires the storage of such information on your end device or access to information already stored on your end device, this is done in accordance with Section 25 (1) TDDDG.

The provision of data is neither required by law nor necessary to conclude a contract. Failure to provide the data will result in you being unable to access the video from our website. Alternatively, you can watch the video directly on YouTube.

Further information on the purpose and scope of data collection and how it is processed by YouTube can be found in Google’s Privacy Policy and Terms of Service.

Which data are processed when I view DBFZ’s location on the interactive map on your website?

Our website uses OpenStreetMap (OSM) to display interactive maps. This map service is provided by the OpenStreetMap Foundation, headquartered in St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

OpenStreetMap is used to display geographical information, e.g. to make it easier to find our location.

When accessing the map’s content, the following data may be transmitted to OpenStreetMap’s servers: IP address, browser information, operating system, subpage visited (referrer URL), date and time of the request.

The data are processed on servers belonging to the OpenStreetMap Foundation, some of which are located in the United Kingdom. The United Kingdom is recognised by the European Commission as a third country that complies with data protection regulations.

OpenStreetMap can only be integrated with your express consent in accordance with Article 6(1)(a) GDPR. Your consent can be given via our consent management tool (e.g. cookie banner). The map will not be loaded without your consent.

You can revoke your consent at any time with future effect by adjusting the settings in the cookie banner/consent tool. OpenStreetMap will no longer load once you withdraw your consent.

Further information on data processing by OpenStreetMap can be found in OpenStreetMap Foundation’s privacy policy:

https://wiki.osmfoundation.org/wiki/Privacy_Policy

Which data are processed during the application process?

It is possible to apply for open positions on our website. This requires you to provide us with information and various documents. We process your personal data as part of the application process as well as when reviewing and evaluating your documents and when assessing you within this context. We also use your personal data to communicate with you and to arrange an appointment for an interview.

Permissibility for processing your personal data for the purpose of conducting the application process is governed by Article 6(1)(b) GDPR in conjunction with Section 26 (1) sentence 1 of the Federal Data Protection Act (BDSG) and is expressly permitted by law. This applies to all processes specifically related to your application (e.g. storage of your HR master data, correspondence with you, and the assessment of your performance and qualifications). As part of your application, you are required to provide the information we request in order to participate in the application process. Without these data, you cannot be considered for the position.

Your data will be noted and used by the employees responsible for the application process, in particular by the Human Resources Department and its corresponding supervisors. Since the data are stored in our systems, it cannot be ruled out that they may also be noted by our IT service providers in the course of troubleshooting.

The duration of storage depends on the length of the application process, which ends either when the position is filled or for other reasons (e.g. inability to fill a position, elimination of the need to do this). The relevant data will be deleted no later than 3 months after the end of the application process.

Which information is processed when you participate in an event?

The contact details that you provide when registering for an event are used to enable you to participant the event. The processing of your data is therefore permissible under Article 6(1)(b) GDPR, as it is required to fulfil our contractual obligation with you.

It is permissible to process and store your data for invitations to future events, as we would like to inform you in the future about similar events and have a legitimate interest in doing so in accordance with Art. 6(1)(f) GDPR. You do, however, have the right to object to the processing of these data at any time.

Transferring your contact details from us to our cooperation partners, storing them with them, and using them for invitations to their events is only permissible if you have given your consent in accordance with Article 6(1)(a) GDPR. We will request this consent separately within the context of the corresponding events. However, this is not required to participate in an event. Your consent to the transfer of your contact details is voluntary. Refusal to provide consent will have no adverse consequences for you. Further information on data protection related to an event with a cooperation partner can be obtained when registering for the respective event.

Furthermore, photos and videos could potentially be taken for public relations purposes at events held on our premises. The creation and publication of these recordings is permissible because the processing is necessary to pursue our legitimate interests and because the interests of the data subjects do not outweigh our own interests (Art. 6(1)(f) GDPR). In each individual case we comprehensively assess the balance between our interests and yours as a participant. Nevertheless, you retain the right to object to this data processing at any time.

Portraits, interviews or recordings made for purely journalistic and editorial purposes, as well as their publication require your consent prior to the collection and publication of such data in accordance with Article 6(1)(a) GDPR. Consent can be revoked at any time. However, photos and recordings that have been taken and published up until this time remain lawful, even if you revoke your consent.

What other data are processed during an online event?

We use software to transmit audio, video and chat content for online events, thereby enabling real-time communication between participants. We use the Zoom X software from Telekom Deutschland GmbH, Am Seestern 3, 40547 Düsseldorf, which is provided in cooperation with Zoom Video Communications Inc., 55 Almaden Boulevard, 6th Floor, San Jose, California, USA. Participation in an online event does not require you to create a user account with Zoom X. You simply need to follow the link in the invitation email and log in through the web interface. Participation does require you to provide, at minimum, your name and email address, as well as the meeting ID sent to you, so that we can identify you as an authorised participant.

When participating in an online meeting, various metadata (e.g. IP address, device/hardware information), connection data (e.g. phone number, country name, start and end time) and content data (e.g. chat history, audio, video) are processed. Metadata and connection data are information that must be generated when using Zoom X. Otherwise, it is not possible to establish a connection to you and the end devices you are using. You have control over which content data are processed by Zoom X. You can switch off the camera or microphone at any time, thereby preventing data from being processed. The chat function is also used on a voluntary basis. The chat history is only stored in exceptional cases and when warranted, for example, when participants pose a large number of questions and make numerous comments at an event, so that these queries can also be responded to at a later point in time. These chat histories are subsequently also deleted. Further information on data protection related to Zoom X can be found in the supplementary information provided on the Telekom Deutschland GmbH website:

https://geschaeftskunden.telekom.de/hilfe-und-service/cloud-software/zoomx

Using Zoom X is permissible on the basis of our legitimate interests (Art. 6(1)(f) GDPR). Online events are an alternative and addition to traditional in-person events and are in increasing demand with the advancement of digitalisation. We must adapt to this and offer flexible solutions.

The recipients of your name and the content data you generate when data are processed by Zoom X are those participating in the online event.

Your name and email address will be stored for the duration of the online event to ensure proper identification. The resulting metadata and connection data will be stored on Zoom X for one month in order to investigate any subsequent security incidents that may arise. If there are no irregularities, the data will automatically be deleted.

When using Zoom X, it cannot be ruled out that, in exceptional cases, your personal data may be transferred to the United States or other third countries outside the EU and the EEA. However, Telekom Deutschland GmbH and its cooperation partner Zoom Video Communications Inc. as well as their service providers have included the standard data protection clauses recognised by the EU commission in their licencing terms to ensure an adequate level of data protection, also outside the EU and the EEA. Apart from this, usage data are only transmitted in pseudonymised form on Zoom X, which means that it is not possible for the data processor outside the EU to personally identify you.

Is the online event recorded?

Some of our online events are recorded. These are mainly expert lectures that are made available to as wide an audience as possible after the event. This is also a way to highlight the research work carried out by the DBFZ and give prospective cooperation partners and applicants an even better sense of the institution. Therefore, selected video footage may later be published on various internet platforms, e.g. on the company’s own website (www.dbfz.de and www.energetische-biomassenutzung.de), on social networks (e.g. Instagram, BlueSky, LinkedIn and YouTube), internally (e.g. intranet) and in advertising material (e.g. training documents, promotional videos).

Recording and publication are carried out with the prior consent of the speakers (Art. 6 (1)(a) GDPR). This consent is obtained during registration and is required to participate and/or is linked to participation. As a participant, your personal data are recorded on a voluntary basis, which can be prevented by anonymising your name in the software (using an alias) and by not using the video and audio functions. This means that you can participate passively in the online event without your personal data being stored. Even though you will not be able to actively participate by speaking, you can still use the chat function.

Your data will be noted and used by the employees that are responsible for organising the event, creating the necessary film sequences, and publishing them. Since the data are stored in our systems, it cannot be ruled out that they may also be noted by our IT service providers in the course of troubleshooting. Furthermore, external service providers will also note your data if we commission them to carry out individual advertising campaigns.

The recording will be stored for as long as we have a legitimate interest in storing and publishing it.

The recipient group cannot be conclusively identified for content published on the Internet. The recording could potentially be accessed in third countries outside the EU and the EEA that do not have an adequate level of data protection. This risk is always present when publishing content on the Internet.

How is the recording carried out?

Video surveillance is continuously used in outdoor spaces on the DBFZ site, even during operating hours. As soon as you enter an area monitored by a camera, video data relating to you will be collected, viewed on monitors, and stored. Video surveillance and processing automatically take place upon entering the monitored area and are a pre-condition for entering the DBFZ premises. There is no acoustic surveillance.

Why does recording take place?

The recording is done on the basis of our legitimate interests in accordance with Article 6(1)f GDPR, in particular with the aim of protecting property rights, identifying perpetrators, preventing burglaries, vandalism and other criminal offences, and protecting visitors and employees.

Our employees responsible for monitoring the company’s premises will note and use your data. Since the data are stored in our systems, it cannot be ruled out that they may also be noted by our IT service providers in the course of troubleshooting.

How long are the recordings stored?

The recordings are deleted 72 hours after they are produced. They will be stored longer if the data are required to preserve evidence as a result of a specific incident. The data are immediately deleted as soon as they are no longer required for the purpose for which they were collected. The recordings will only be visually examined for the purposes specified in the presence of a works council member and the data protection officer.