Privacy Police

Change Cookie Preferences

We, the Gemeinnützige Hertie‑Stiftung (hereinafter “GHST”), Grüneburgweg 105, 60323 Frankfurt, hereby inform you about the processing of personal data carried out by us.

You can reach our data protection officer by email at Datenschutz(at)ghst.de or by post at GHST DSB, daspro GmbH, Kurfürstendamm 21, 10719 Berlin, Germany.

Below, we have compiled the most important information regarding typical processing activities, separated by data subject groups. For certain processing activities that concern only specific groups, the information obligations are fulfilled separately.

Where the term “data” is used, it refers exclusively to personal data within the meaning of the GDPR.

Visitors of the website
Participants in GHST projects and events
Participants in online events via Zoom
Participants in online events via Alfaview
Applicants for a project or event of GHST
Fellows/Alumni of GHST
Applicants for employment at GHST
Newsletter subscribers
Business partners and their employees
Interested parties and communication partners
Visitors of GHST social media accounts
Rights of the data subjects and further information
Subscribers of the GHST WhatsApp channel

Section 1 – Visitors of the Website

1.1 Server Log Data

When using the website, certain information is transmitted to the server of our website by the browser used on your device for technical reasons. This data is stored and processed on our server.

(i) We process the data listed below for the purpose of providing the website content you request, ensuring the security of the IT infrastructure used, error correction, enabling and facilitating search functions on the website, and managing cookies. A change of purpose is not planned.

(ii) The processed data is HTTP data: HTTP data is log data that is generated for technical reasons when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes the IP address, type and version of your internet browser, the operating system used, the page accessed, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on servers of service providers (e.g. when third-party content is accessed).

(iii) The legal basis for the processing is our legitimate interest in operating an online presence and exchanging information with communication partners pursuant to Art. 6 (1) (f) GDPR.

(iv) The data is automatically provided by the browser of the website user.

(v) Recipients of the personal data are IT service providers that we use as processors within the framework of a data processing agreement.

(vi) IP addresses are anonymised after 24 hours at the latest. Pseudonymous usage data will be deleted after six months.

(vii) Without disclosing personal data such as the IP address, the use of the website is not possible. Communication via the website without providing data is technically impossible.

1.2 Technically Required Cookies

We use cookies on our website. Cookies are small text files containing information that may be stored on the user’s device via the browser when visiting a website. When the website is revisited using the same device, the information stored in cookies can be read and processed. In doing so, we use processing and storage functions of your device’s browser and collect information from its storage.

In our privacy policy, we distinguish between technically required cookies, statistics cookies, marketing cookies, and multi‑ and social‑media content from third‑party providers. Cookies that are technically necessary for the functioning of the website (“technically required cookies”) cannot be deactivated via the cookie management function on this website. You can, however, deactivate cookies in your browser at any time. Different browsers provide different ways to configure cookie settings. Please note that some website functions may not work or may no longer function properly if you deactivate cookies in your browser entirely.

a) Cookiebot CMP by Usercentrics

We use the Usercentrics Consent Manager “Cookiebot CMP” to manage consents, possible withdrawals of consent, and objections by users regarding the use of cookies.

(i) The purpose of the processing is the management of users’ decisions regarding cookies (consent, withdrawal, opt‑out) and ensuring the security of the application. A change of purpose is not planned.

(ii) The processed data are:

HTTP data:
Log data generated when accessing the website via the Hypertext Transfer Protocol (Secure) HTTP(S): IP address, browser type and version, operating system used, accessed page, previously visited page (referrer URL), date and time of access, language, and geolocation.
Consent cookies:
User decisions regarding individual cookies or groups of cookies, time of decision and last visit (Consent ID, date and time of consent, browser user agent, and consent status).

(iii) The legal basis is our legitimate interest in simple and reliable cookie management (Art. 6 (1) (f) GDPR; Section 25 (2) (2) TDDDG).

(iv) The data are provided either actively by the visitor (cookie settings) or automatically by the browser (log data, timestamps).

(v) Recipient is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, which we use as processor within the framework of a data processing agreement. Usercentrics A/S engages Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) which in turn engages Microsoft Corporation (USA), as well as Akamai Technologies, Inc. (145 Broadway, Cambride, MA 02142, USA). Microsoft and Akamai are certified under the EU‑US Data Privacy Framework (Article 45 GDPR). Moreover, Microsoft and Akamai have concluded the EU Standard Contractual Clauses (2021/914; Module 3). You may request a copy of the essential contractual provisions at any time.

(vi) Withdrawals of consent are stored for three years (accountability). The management cookie will be deleted six months after the last visit. Log data is anonymised before storage.

(vii) Without disclosing personal data, the use of the website is not possible. Communication via the website without providing data is technically impossible.

1.2 b) Google Tag Manager

We use the Google Tag Manager on our website. Google Tag Manager enables us to manage cookies and control when they are delivered. This allows us, for example, to implement your consent, a withdrawal of consent, or an opt‑out. Google Tag Manager does not set its own cookies and does not process data stored in cookies.

(i) The purpose of the processing is to control the delivery of cookies on our website and to ensure the security of the application. A change of purpose is not planned.

(ii) The processed data is HTTP data. HTTP data is log data that is technically generated when accessing the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes the IP address, browser type and version, operating system used, the accessed page, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also collected on servers of service providers (e.g. when third-party content is accessed). Your IP address is automatically anonymised during processing.

(iii) The legal basis for the processing is our legitimate interests in simple and reliable cookie management pursuant to Art. 6 (1) (f) GDPR.

(iv) The data is automatically provided by the browser of the website user.

(v) Recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, which we use as processor within the framework of a data processing agreement. Google Ireland Limited engages Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as a processor. The Google entities (including Google LLC) are certified under the EU‑US Data Privacy Framework pursuant to Article 45 GDPR. Moreover, Google has concluded the EU Standard Contractual Clauses (2021/914; Module 3) with Google LLC and other sub‑processors. You may request a copy of the essential contractual provisions at any time.

(vi) IP addresses are anonymised at the latest after 24 hours. Pseudonymous usage data are deleted after six months.

(vii) Without disclosing personal data, such as the IP address, the use of the website is not possible. Communication via the website without providing data is technically impossible.

1.3 Statistics Cookies - Google Analytics

We use cookies on our website. Cookies are small text files containing information that may be stored on the user’s device via the browser when visiting a website. When the website is revisited using the same device, the information stored in cookies can be read and processed. In doing so, we use the processing and storage functions of your device’s browser and collect information from its storage.

In our privacy policy, we distinguish between technically required cookies, statistics cookies, marketing cookies, and multi‑ and social‑media content from third‑party providers. Depending on their function and purpose, the use of certain cookies may require the user’s consent. Consent is obtained by means of a so‑called “cookie banner”: When you access our website, our cookie banner is displayed. By clicking the button “Select all”, you may provide your consent for the use of all cookies requiring consent on this website. Without such consent, cookies requiring consent will not be activated. By adjusting the individual sliders, you may also make differentiated choices regarding individual cookies or reject all cookies requiring consent entirely and then save your settings by clicking the corresponding button “Save settings”. Your choice is stored in a cookie. Alternatively, within the privacy policy, you may click the button “Change cookie settings” to access our “cookie dashboard”. In the cookie dashboard, you may make an individual selection of cookies and adjust your preferences at any later time. We store your cookie settings in the form of a cookie on your device so that, upon your next visit to the website, we can determine whether you have already made cookie settings.

If you have provided your consent, we use the web analysis tool Google Analytics on our website. Google Analytics enables us to examine the user behavior of visitors to our website in pseudonymised and anonymised form.

You may deactivate the processing of data by Google Analytics at any time in our “cookie dashboard”. Alternatively, you may install a browser plug‑in provided by Google which prevents data collection by Google Analytics: tools.google.com/dlpage/gaoptout.

(i) The purpose of the processing is the analysis of the user behavior on our website. A change of purpose is not planned.

(ii) The processed data are:

Google Analytics HTTP data:

Log data that is technically generated when using the web analysis tool Google Analytics on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, browser type and version, operating system used, accessed page, previously visited page (referrer URL), date and time of access.

Google Analytics device data:
Data generated by Google Analytics and assigned to your device, including a unique ID to recognise returning visitors (“Client ID”) and certain technical parameters used to control data collection for web analytics.
Google Analytics measurement data:
Device‑related raw data (“dimensions” and “metrics”) collected and analysed by Google Analytics when using our website: information about sources through which visitors reach our web offer, information on location, browser, and device used, information on website usage (particularly page views, frequency of access, and dwell time), and information on achieving specific goals (e.g., transactions in an online shop). These data are linked to the Client ID assigned to your device, thereby creating device‑related usage profiles. The data collected using Google Analytics do not allow us to identify you personally (i.e., by your civil name). Without your consent, we do not combine these device‑related raw data or usage profiles with data that personally identify you.
Google Analytics report data:
Data contained in aggregated, segment‑related, and device‑related reports generated by Google Analytics on the basis of the analysis of the raw data.

(iii) The legal basis for the processing is your consent (Art. 6 (1) (a) GDPR).

(iv) The data are automatically provided by the browser of the user.

(v) Recipient of the data is Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland), which we use as processor within the framework of a data processing agreement. Google Ireland Limited engages Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as a processor. The Google entities (including Google LLC) are certified under the EU‑US Data Privacy Framework pursuant to Article 45 GDPR. Moreover, Google has concluded the EU Standard Contractual Clauses (2021/914; Module 3) with Google LLC and other sub‑processors. You may request a copy of the essential contractual clauses at any time.

(vi) The data will be deleted after six months.

(vii) The provision of data is neither legally or contractually required nor necessary for the conclusion of a contract. The data subject is not obliged to provide the data. Without the provision of data, we cannot perform web analytics using Google Analytics.

1.4 Marketing Cookies – Meta Pixel

We use cookies on our website. Cookies are small text files containing information that may be stored on the user’s device via the browser when visiting a website. When the website is revisited using the same device, the information stored in cookies can be read and processed. In doing so, we use the processing and storage functions of your device’s browser and collect information from its storage.

In our privacy policy, we distinguish between technically required cookies, statistics cookies, marketing cookies, and multi‑ and social‑media content from third‑party providers. Depending on their function and purpose, the use of certain cookies may require the user’s consent. Consent is obtained by means of a “cookie banner”: When you access our website, our cookie banner is displayed. By clicking the button “Select all”, you may provide consent for the use of all cookies requiring consent on this website. Without such consent, cookies requiring consent will not be activated. By adjusting the individual sliders, you may also make differentiated choices regarding individual cookies or reject all cookies requiring consent entirely and then save your settings by clicking the corresponding button. Your choice is stored in a cookie. Alternatively, within the privacy policy, you may click the button “Change cookie settings” to access our “cookie dashboard”. In the cookie dashboard, you may make an individual selection of cookies and adjust your preferences at any later time. We store your cookie settings in the form of a cookie on your device so that, upon your next visit to the website, we can determine whether you have already made cookie settings.

If you have provided your consent, we use the so‑called “Meta Pixel”. In doing so, cookies of Meta Platforms Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland (“Meta”) are used. The Meta Pixel enables Meta, among other things, to collect information about activities of users on our website. By integrating the Meta Pixel, we enable Meta to collect personal data. The collection and processing of these data—after your consent—is carried out solely under the responsibility of Meta. We have no knowledge of the details of how personal data are processed within Meta’s area of responsibility or whether data processing takes place in the USA. Information on the processing of personal data by Meta can be found in Meta’s privacy policy: de-de.meta.com/about/privacy/.

Meta provides us with analyses or additional information generated from the collected data solely in aggregated, anonymised form. We cannot assign the information made available to us to any natural person.

You may deactivate the processing by Meta in our “cookie dashboard” at any time. Alternatively, you may deactivate the Meta Pixel for the browser you are currently using by disabling the storage of cookies in your browser settings.

(i) The purpose of the Meta Pixel is to enable Meta to collect and process user data on our website. The purposes of the processing carried out by Meta are determined solely by Meta:
de-de.facebook.com/privacy/policy/.

(ii) According to Meta, the processed data are:

Meta Pixel HTTP data
Log data that is technically generated when using the Meta Pixel on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, browser type and version, operating system used, accessed page, previously visited page (referrer URL), date and time of access.
Meta Pixel device data
Data assigned to your device by the Meta Pixel, including a unique ID to recognise returning visitors.
Meta Pixel event data
Data collected by Meta via the Meta Pixel and linked to the unique visitor ID contained in the device data: These include actions carried out on the website (“events”), such as the exact URL visited on www.ghst.de.
They also include information associated with these actions (“parameters”), e.g. whether the form for subscribing to the GHST newsletter was submitted.
Meta Pixel analytics data
Data generated by Meta based on the information collected by the Meta Pixel and assigned to the unique visitor ID contained in the device data: including information about the effectiveness of Meta advertisements and user assignments to target groups for Meta advertisements. Meta may generate additional data for its own purposes or for third parties. We have no knowledge of the details of such processing.

(iii) The legal basis for enabling the collection of personal data via our website by Meta is your consent (Art. 6 (1) (a) GDPR). We do not perform any processing of personal data within our own area of responsibility in this context. We have no knowledge of the legal bases used by Meta for its processing.

(iv) The Meta Pixel analytics data are generated autonomously by Meta. We do not know whether Meta uses additional data sources.

(v) Recipient of the data collected via our website is Meta Platforms Ireland Limited, which is responsible for the collection and processing of personal data. Meta Platforms Ireland Limited engages Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, as a processor. As an independent controller, Meta Platforms Ireland Limited is responsible for ensuring appropriate data protection safeguards for international data transfers.

(viii) We do not perform any automated decision‑making within our area of responsibility. We have no knowledge regarding any automated decision‑making within Meta’s area of responsibility.

1.5 Multi‑ and Social‑Media Content from Third‑Party Providers

We integrate multimedia content and content from social‑media platforms on our website, provided you have given your consent via our “cookie banner”.

a) Spotify Content

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for “Spotify” under the category “Multi‑ and social‑media content from third‑party providers” to play the content, you consent to us enabling Spotify to collect data for its own purposes. The collection and processing of these data are carried out exclusively under the responsibility of Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden.

Audio files stored on Spotify and accessible there are linked on our website. Once you activate the corresponding slider in the cookie banner or cookie dashboard, the file is loaded from Spotify. Technically, the same process occurs as if you accessed the Spotify website through a link: Spotify receives all information automatically transmitted by your browser (including your IP address). Spotify also sets its own cookies on your device. This occurs even if you do not have a Spotify user account. If you are logged in to Spotify, your data will be directly associated with your account. If you do not wish your data to be associated with your Spotify profile, you must log out of Spotify before clicking the audio file.

We have no knowledge of further details of the processing of personal data within Spotify’s area of responsibility. GHST has no influence over Spotify’s data processing.

Information on the processing of personal data by Spotify can be found in the Spotify privacy policy: www.spotify.com/de/legal/privacy-policy/

b) Podigee Podcast Hosting

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for “Podigee Podcast Hosting” in the category “Multi‑ and social‑media content from third‑party providers” to play podcast content, you consent to us enabling Podigee to collect data for its own purposes. The collection and processing of these data are carried out exclusively under the responsibility of Podigee GmbH, Schlesische Straße 20, 10997 Berlin.

Podcast files stored on Podigee and accessible there are linked on our website. Once you activate the corresponding slider in the cookie banner or cookie dashboard, the file is loaded from Podigee. Technically, the same process occurs as if you accessed the Podigee website through a link: Podigee receives all information automatically transmitted by your browser (including your IP address). Podigee also sets its own cookies on your device.

We have no knowledge of further details of the processing of personal data within Podigee’s area of responsibility. GHST has no influence over Podigee’s data processing.

Information on the processing of personal data by Podigee can be found in the Podigee privacy policy: www.podigee.com/de/about/privacy/

c) YouTube Embedding (Privacy‑Enhanced Mode) and Google Fonts

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for “YouTube and Google Fonts” in the category “Multi‑ and social‑media content from third‑party providers” to play the content, you consent to us enabling Google, as the provider of the YouTube service, to collect data for its own purposes. The collection and processing of these data are carried out exclusively under the responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited engages Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as a processor.

We embed videos stored on YouTube on our website. Embedding Google Fonts content may also occur. When embedded, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only retrieved by clicking on the video separately. YouTube content is embedded in what is known as “privacy-enhanced-mode”. Google, as the operator of YouTube, provides this mode and thus ensures that no data is transmitted to Google and no cookies are stored on your device before you click on the cookie banner or cookie dashboard to play the video.

Once you activate the corresponding slider in the cookie banner or cookie dashboard, the video is loaded from YouTube. Technically, the same process occurs as if you accessed the YouTube website through a link: YouTube receives all information automatically transmitted by your browser (including your IP address). YouTube also sets its own cookies on your device. This occurs even if you do not have a YouTube user account. If you are logged in to YouTube or Google, your data will be directly associated with your account. If you do not wish your data to be associated with your user account at YouTube or Google, you must log out before clicking the corresponding sliders in the cookie banner or cookie dashboard.

We have no knowledge of further details of the processing of personal data within Google’s area of responsibility. GHST has no influence over Google’s data processing.

Information on the processing of personal data by Google can be found in the Google privacy policy: policies.google.com/privacy

d) Yumpu Content

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for “Yumpu” in the category “Multi‑ and social‑media content from third‑party providers” to display animated PDFs, you consent to us enabling Yumpu to collect data for its own purposes. The collection and processing of these data are carried out exclusively under the responsibility of i‑magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland.

When you access an animated PDF (for example, an annual report) on our website, a connection is established to the servers of Yumpu in Switzerland. Accessing the online magazines requires Yumpu to process the IP addresses of the users, as content typically cannot be sent to your browser without the IP address.

Further information on Yumpu can be found in the i‑magazine AG privacy policy:
www.yumpu.com/de/info/privacy_policy

2. Participants in GHST Projects and Events

(i) We process your personal data for the purpose of carrying out the project or event, as well as for documenting the project or event through image and audio recordings and for using these recordings for press and public relations purposes. Another purpose is the transfer of participant data to the cooperation partners named in connection with the respective project or event, for the purposes specified in each case. A change of purposes is not planned.

(ii) The processed data are participant data, which may vary depending on the project or event. Usually, however, these include names and contact details of participants and, in some cases, photographic images of participants or individual project results. Further details are always provided as part of the specific project or event.

(iii) The legal bases for the processing of data of participants in projects and events are the contract for carrying out the event (Art. 6 (1) (b) GDPR) and statutory obligations, in particular tax and commercial law requirements (Art. 6 (1) (c) GDPR). The legal basis for the creation of image and audio recordings is your consent (Art. 6 (1) (a) GDPR) and our legitimate interest in documenting the events or projects carried out by us and in representing GHST in press and public relations (Art. 6 (1) (f) GDPR) or the participation contract for the event (Art. 6 (1) (b) GDPR). Your consent is voluntary. Participation in the event is also possible without the provision of your consent to such recordings. If the project or event involves participants under 16 years of age, consent or agreement to the participation contract is provided by the holder of parental responsibility, or the child’s own consent is provided with the approval of the holder of parental responsibility (Art. 8 (1) sentence 2 GDPR). The legal basis for transferring participant data to the cooperation partners named in connection with the individual project or event is our legitimate interest in carrying out the project or event (Art. 6 (1) (f) GDPR).

(iv) Recipients of the image and audio recordings may include any members of the public for the purpose of press and public relations work, in particular journalists, media companies, press and photo agencies, members, employees, visitors of the website, and users of social media platforms. Further recipients may include service providers we use as processors within the framework of a data processing agreement, in particular web-hosting companies, IT and media service providers. Recipients of participant data are the cooperation partners named in connection with the specific project or event. Unless otherwise stated in the respective project or event, these cooperation partners act as independent controllers for the processing. Further details can be found in the privacy policies of the respective cooperation partners, which are provided as part of the specific project or event.

(v) When image and audio recordings are published on the internet (GHST website, GHST social‑media channels, video recordings on platforms such as YouTube), data are regularly transferred to so‑called third countries outside the European Union that are considered unsafe third countries under data protection law. GHST has no influence over how the operators of social‑media platforms handle the data. Whether and for which purposes the data are further processed in the third country lies outside GHST’s knowledge.

(vi) Archived image and audio recordings from the event, as well as publications, are generally not deleted. All contract‑ and booking‑related data are stored for ten calendar years after the end of the contract in accordance with tax and commercial retention obligations. Other data collected during the event will be deleted six months after the event has taken place.

(vii) The provision of data is contractually required for participation in events and projects. Without providing the data, participation is not possible. The creation of image and audio recordings is not mandatory for participation. If you do not wish to appear in photographs or recordings, please inform our staff at the event location.

3. Participants in Online Events via Zoom

(i) We process personal data of participants for the purpose of organising, conducting, and documenting GHST online events via Zoom. Provided that we indicate this separately in the context of the individual online events and obtain your consent in this regard, the online event will be recorded and the recording will be published on the website, the GHST YouTube channel, or other channels specified. A change of purposes is not planned.

(ii) The personal data processed by GHST as the controller in the context of Zoom online events are:

Participant data
First and last name, email address
Zoom conference data
Meeting metadata: topic, IP address, device/hardware information
Telephone data: When dialing in by phone, incoming and outgoing phone numbers, country name, start and end time and possibly further connection data
Communication data
During the online event, your communication data in the form of questions, verbal contributions, votes and chat messages are processed. You always decide for yourself whether and in what form you wish to participate.
Image, audio, and video data (and recordings thereof, if consent has been given)
Image, audio and video data of participants will be processed during the online event. However, each person is free to decide whether they want to turn on their camera and microphone or whether they want to communicate via the chat window only.

If we have obtained your consent in this regard, the online event will be recorded, including the image, audio and video data of the participants.

Payment data (only for paid online events)
For paid online events, we also process payment data.

(iii) The legal basis for processing personal data of participants for the purpose of conducting online events via Zoom is either the participation contract for the online event (Art. 6 (1) (b) GDPR) or our legitimate interest in offering online events via video conferencing (Art. 6 (1) (f) GDPR). The legal basis for creating and publishing recordings on the GHST website or other specified channels is your consent (Art. 6 (1) (a) GDPR).

(iv) You may withdraw consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing based on the consent before its withdrawal. For this reason, recordings already published (e.g., on websites or social media) are not deleted.

(v) Participant data and payment data are actively provided by the data subject during registration for the online event. Zoom conference data are actively provided by the data subject or automatically provided by the browser or device. Image, audio, video and communication data are collected automatically. Recordings of image, audio and video data are created by GHST.

(vi) Participant and payment data are deleted after ten years (legal retention periods due to participation in the online event). Zoom conference data and communication data are generally deleted three months after the online event has taken place, unless otherwise specified.
Image, audio and video data, the corresponding recordings, and selected archived material are not deleted. However, excess raw recording material is deleted three months after the event.
In addition, you may request deletion of your personal data at any time, unless we are legally or contractually obliged or entitled to continue processing the data.

(vii) Recipients of names, communication data as well as image, audio and video data are always the moderators and other participants of the respective online event. We also engage service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance, and servicing of IT systems – especially the service provider Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. We have concluded the EU Standard Contractual Clauses (2021/914; Module 2) with Zoom. You may request a copy of the essential contractual provisions at any time.

If you create your own Zoom profile during registration, the processing of those personal data is carried out under the sole responsibility of Zoom Video Communications, Inc. We have no knowledge of further details regarding Zoom’s data processing in this regard. More information on data processing by Zoom can be found in their privacy policy: www.zoom.us/privacy.

Recipients of published image, audio and video recordings – including participant names – may include any members of the public, in particular journalists, press agencies, members, employees, visitors of the website, social‑media users and service providers acting as processors, especially web‑hosting companies and IT and media service providers.

When publishing recordings online (e.g., GHST websites, YouTube videos), data is regularly transferred to third countries outside the European Union which are considered unsafe third countries under data protection law. GHST has no influence over how social‑media operators handle the data. Whether and for which purposes the data is processed further in the third country lies outside GHST’s knowledge.

(viii) The provision of data is contractually required for participation in online events. Without providing the data, participation in online events is not possible. The provision of communication, image, audio and video data, as well as the creation of recordings, is not mandatory for participation.

4. Participants in Online Events via Alfaview

(i) We process the personal data of participants for the purpose of organising, conducting, and documenting GHST online events via Alfaview. Provided that we indicate this separately in the context of the individual online events and obtain your consent in this regard, the online event will be recorded, and the recording will be published on the website, the GHST YouTube channel, or other channels specified. A change of purposes is not planned.

(ii) The processed data are:

Registered Alfaview users

Users may optionally provide further information in their profile such as title, initials, location

Users joining via guest links

Name or pseudonym, or in the case of an individualised guest link, name and e-mail address

General data

Meeting metadata:

Topic, IP address, device/hardware information

Communication data:

During the online event, your communication data in the form of questions, verbal contributions, votes and chat messages are processed. You always decide for yourself whether and in what form you wish to participate.

Image, audio, and video data (and recordings thereof, if consent has been given):

Image, audio and video data of participants will be processed during the online event. However, each person is free to decide whether they want to turn on their camera and microphone or whether they want to communicate via the chat window only.

If we have obtained your consent in this regard, the online event will be recorded, including the image, audio and video data of the participants.

Payment data (only for paid online events):
For paid online events, we also process payment data.

(iii) The legal basis for processing personal data of adult participants for the purpose of carrying out online events via Alfaview is our legitimate interest in conducting the respective online events (Art. 6 (1) (f) GDPR). If the project or event involves minor participants, consent is provided by the holder of parental responsibility, or the child’s own consent is provided with the approval of the holder of parental responsibility (Art. 8 (1) sentence 2 GDPR). The legal basis for creating and publishing recordings on the GHST website or other specified channels is your consent (Art. 6 (1) (a) GDPR).

(iv) You may withdraw consent given at any time with effect for the future. The withdrawal does not affect the lawfulness of processing based on the consent before its withdrawal. For this reason, recordings already published (e.g., on websites or social media) are not deleted.

(v) Participant data and payment data are actively provided by the data subject during registration for the online event. Meeting metadata are automatically provided by the browser or device. Image, audio, video and communication data are collected automatically. Recordings of image, audio and video data are created by GHST.

(vi) Participant data and payment data are deleted after ten years (legal retention periods due to participation in the online event). Communication data and other data are generally deleted three months after the online event has taken place, unless otherwise specified.
Image, audio and video data, the corresponding recordings, and selected archived material are not deleted. However, excess raw recording material is deleted three months after the event.
In addition, you may request deletion of your personal data at any time, unless we are legally or contractually obliged or entitled to continue processing the data.

Recipients of published image, audio and video recordings – including participant names – may include any members of the public, in particular journalists, press agencies, members, employees, website visitors, social‑media users, and service providers acting as processors, especially web‑hosting companies and IT and media service providers.

5. Applicants for a GHST Project or Event

(i) We process your personal data for the purpose of executing the application procedure and the selection of participants for the respective GHST project or event. A change of purpose is not planned.

(ii) The legal basis for the processing is the initiation of a contract regarding participation in the project or event (Art. 6 (1) (b) GDPR). If you do not apply yourself but, for example, are nominated or proposed by someone else, the legal basis is our legitimate interest in knowing the proposed individuals for the respective project and their professional qualifications (Art. 6 (1) (f) GDPR).

(iii) The data is internally forwarded to the staff members responsible. In addition, the data is partly shared with an evaluation committee and with project partners as part of the application process. We also engage service providers as processors within the framework of a data processing agreement, including service providers involved in selection procedures as well as those responsible for the provision, maintenance, and servicing of IT systems.

(iv) Applicant data for study programs, research programs and training events will be deleted six months after the end of the application process. All contract‑ and booking‑relevant data are stored for ten calendar years after the end of the contract in accordance with tax and commercial retention requirements.

(v) Without the provision of data, participation in the application processes for GHST projects and events is not possible.

6. Fellows/Alumni of GHST

(i) We process your personal data for the purpose of participation in Fellows/Alumni programs of GHST, including their organisation and documentation. A change of purpose is not planned.

(ii) The processed data are:

Master data: name, gender, title, contact details (electronic, postal), date of birth, nationality, affiliation with GHST
Information on profession, qualifications, education and CV, areas of interest, self‑descriptions
Photographs and self‑generated content (images, comments, contributions)
Bank details (e.g., in the case of donations)
Applications and registration data in connection with events (e.g., dietary preferences)

(iii) The legal basis for the processing is your consent for participation in the Fellows/Alumni programs (Art. 6 (1) (a) GDPR) as well as statutory obligations, in particular tax and commercial law requirements (Art. 6 (1) (c) GDPR).

(iv) Recipients of the data may include other participants in GHST Fellows/Alumni programs for networking purposes. We also engage service providers as processors within the framework of a data processing agreement when providing services, in particular for the provision, maintenance, and servicing of IT systems.

(v) The data of participants in the Fellows/Alumni programs will be only deleted when the participant deregisters from the program.

(vi) Without the provision of data, participation in the GHST Fellows/Alumni programs is not possible.

7. Applicants for Employment at GHST

(i) We process your data for the purpose of selecting the applicants for an employment relationship. A change of purpose is not planned.

(ii) The processed data are the application documents and any additional voluntarily provided information.

(iii) The legal basis is Section 26 BDSG in conjunction with Art. 6 (1) (b) GDPR (initiation of the employment contract) and Art. 88 GDPR. Voluntary information provided as part of your application is processed on the basis of your consent (Section 26 (2) BDSG in conjunction with Art. 6 (1) (a) GDPR and Article 88 GDPR).

(iv) Applicant data are internally forwarded to the responsible staff members. We also engage service providers as processors within the framework of a data processing agreement for the provision, maintenance, and servicing of IT systems.

(v) Applicant data will be deleted six months after the end of the specific application process.
If you have expressed interest in other positions as well, the data will be stored for up to 12 months after the last job offer or your last expression of interest.

(vi) Providing data is necessary for applicants. Without the provision of data, an application is not possible.

8. Newsletter Subscribers

(i) We process your data for the purpose of dispatching our newsletters. A change of purpose is not planned.

(ii) The processed data are the name, email address and the selected newsletter.

(iii) The legal basis for processing personal data for newsletters is your consent (Art. 6 (1) (a) GDPR). Where newsletter recipients are under 16 years of age, consent is provided by the holder of parental responsibility or the child’s own consent is given with the approval of the holder of parental responsibility (Art. 8 (1) sentence 2 GDPR).

(iv) We engage service providers as processors within the framework of a data processing agreement for the provision, maintenance and servicing of IT systems.

(v) Data relating to newsletters will be deleted upon unsubscription.

(vi) The provision of data is mandatory for receiving newsletters. Without the provision of data, newsletters cannot be sent.

9. Business Partners and Their Employees

(i) We process your data for the purpose of preparing and executing contracts as well as communicating with employees of our business partners. A change of purpose is not planned.

(ii) The legal basis for processing data relating to contracts with natural persons is preparation and execution of the contract (Art. 6 (1) (b) GDPR), whereas for contracts with legal persons it is our legitimate interest in communicating with the relevant contact person (Art. 6 (1)(f) GDPR), as well as our statutory obligations under tax and commercial law provisions (Art. 6 (1) (c) GDPR).

(iii) Recipients of personal data may include banks for the processing of payments. Authorities and public bodies may also be recipients insofar as we are legally obliged or entitled to transmit data. Furthermore, we engage service providers as processors within the framework of a data processing agreement in connection with the provision, maintenance and servicing of IT systems.

(iv) All contract‑ and booking‑relevant data are stored for ten calendar years after the end of the contract in accordance with tax and commercial retention obligations.

(v) The provision of data is both legally and contractually mandatory for business partners and their employees. Without the provision of data, the business relationship cannot be established or carried out.

10. Interested Parties and Communication Partners

(i) We process data for the purpose of communicating with interested parties and communication partners of GHST. A change of purpose is not planned.

(ii) The legal basis for processing data of interested parties and other communication partners is our legitimate interest in communicating with interested parties and communication partners (Art. 6 (1) (f) GDPR).

(iii) We forward enquiries internally to the responsible staff members. We also engage service providers as processors within the framework of a data processing agreement in connection with the provision, maintenance and servicing of IT systems.

(iv) Enquiries and communication are automatically deleted after ten calendar years.

(v) The provision of data is necessary for interested parties and communication partners. Without the provision of data, communication is not possible.

11. Visitors of GHST Social‑Media Accounts

11.1 General Information

GHST operates several social‑media accounts. The respective social‑media platforms are operated by service providers who process the data generated through the technical operation of the platform.

(i) The purpose of the data processing on our social‑media accounts is to provide you with interesting content and to interact with you on social‑media platforms.

(ii) The processed data consists of content and usage data on such social‑media accounts.

(iii) Information and data displayed or shared on the GHST social‑media account may be accessible to the provider of the respective social‑media platform, its users, and GHST (or commissioned service providers).

(iv) Further details regarding data processing on the respective social‑media accounts can be found on the corresponding social‑media platforms and in these privacy notices.

11.2 Tool for Social‑Media Management and Monitoring (Hootsuite)

To manage and monitor social‑media content on GHST’s social‑media accounts, GHST uses the tool Hootsuite.

(i) The purpose of the processing is the management and monitoring of content on GHST’s social‑media accounts, through which we provide visitors with information about GHST's programs and offerings. A change of purpose is not planned.

(ii) The processed data are:

User‑generated content
Content created by users (e.g. messages, posts, comments, feeds on the social‑media accounts). These are data that users decide to publish on public social‑media networks. Such data may also include special categories of personal data within the meaning of Art. 9 GDPR, depending on what users share.
Name and/or contact details of users

The legal basis for the processing is our legitimate interests in efficient and professional management and monitoring of GHST social‑media accounts (Art. 6 (1) (f) GDPR). The legal basis for processing special‑category data is their publication by the data subject (Art. 9 (2) (e) GDPR).

(iii) Name, contact details and user‑generated content are actively provided by the data subject.

(iv) Recipients of names and user‑generated content may include any members of the public, as these contents are published autonomously by users on public social‑media platforms. We also engage service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance, and servicing of IT systems – especially Hootsuite Inc., 111 East 5th Avenue, Vancouver, BC, Canada V5T 4L1. Hootsuite may use subcontractors in the USA. Hootsuite has concluded the EU Standard Contractual Clauses (2021/914; Module 2). You may request a copy of the essential contractual provisions at any time.

(v) The data will be stored only for the duration of GHST staff processing sessions. Event‑related data, such as comments in which users tag GHST, can only be processed as long as the event (the tag) remains active. We note that user‑generated content may be deleted by users at any time.

(vi) The provision of data is not mandatory. Without the provision of data, GHST cannot conduct social‑media monitoring and cannot respond to user comments or content.

11.3 Meta

GHST and Meta (for users in the EU/EEA: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) act as joint controllers for the processing of personal data on the GHST Meta page. The joint‑controller arrangement is available at:
www.facebook.com/legal/controller_addendum

According to this agreement, Meta is responsible for informing data subjects about the processing activities. Meta’s privacy policy is available at: www.facebook.com/privacy/explanation

Data subjects may exercise their rights against either of the joint controllers, GHST and/or Meta.

Further information about the data Meta shares with GHST can be found at:
www.facebook.com/business/learn/facebook-page-insights-basics

11.4 Instagram

GHST and Instagram (for users in the EU/EEA provided by Meta Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) act as joint controllers for the processing of personal data on the GHST Instagram page. The joint‑controller arrangement is available at:
www.facebook.com/legal/controller_addendum

According to the agreement, Instagram (provided by Meta) is responsible for informing data subjects about data processing. Instagram’s privacy policy is available at:
help.instagram.com/519522125107875

Data subjects may exercise their rights against either GHST and/or Instagram (provided by Meta).

Further information about the data Instagram shares with GHST can be found at:
de-de.facebook.com/help/instagram/788388387972460

11.5 YouTube

We operate a social‑media page on the YouTube platform. Data collection and processing are under the sole responsibility of Google (for the EU/EEA: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Google Ireland Limited uses Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as a processor.

We have no knowledge of further details regarding data processing within the area of Google’s controllership, including possible processing in the USA. GHST has no influence on how Google processes the data.

Information on the processing of personal data by Google can be found in Google’s privacy policy: policies.google.com/privacy.

11.6 Twitter

We operate a social‑media page on Twitter (operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA). For users in the EU/EEA, the GDPR controller‑to‑controller addendum applies:
gdpr.twitter.com/en/controller-to-controller-transfers.html

According to the agreement, data collection and processing are carried out solely under the responsibility of Twitter. Twitter’s privacy policy is available at:
twitter.com/en/privacy

11.7 TikTok

GHST and TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, Aviation House, 125 Kingsway, London WC2B 6NH as joint controllers) act as joint controllers for the processing of personal data (“TikTok Engagement Data”) on the GHST TikTok page. The joint‑controller agreement is available at: www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en

According to the agreement, TikTok is responsible for informing data subjects about the processing activities. TikTok’s privacy policy is available at:
www.tiktok.com/legal/page/eea/privacy-policy/en

Data subjects may exercise their rights against either GHST and/or TikTok.

Further information about the data TikTok shares with GHST can be found at:
www.tiktok.com/legal/page/global/information-about-tiktok-analytics/en

For processing outside the scope of TikTok Engagement Data, GHST and TikTok act as separate, independent controllers.

12. Rights of the Data Subjects and Further Information

(i) We do not use any procedures for automated individual decision‑making.

(ii) You have the right to request information at any time about all personal data that we process about you.

(iii) If your personal data are incorrect or incomplete, you have the right to rectification and completion.

(iv) You may request the deletion of your personal data at any time, provided we are not legally obliged or entitled to continue processing your data.

(v) Where the legal requirements are met, you may request the restriction of the processing of your personal data.

(vi) You have the right to object to the processing of your personal data where the processing is carried out for the purposes of direct marketing or profiling.

(vii) If the processing is based on a balancing of interests, you may object to the processing on grounds relating to your particular situation.

(viii) Where processing is based on your consent or carried out within the scope of a contract, you have the right to receive the data you have provided in a structured, commonly used, and machine‑readable format, provided this does not adversely affect the rights and freedoms of others.

(ix) If we process your data on the basis of your consent, you have the right to withdraw your consent at any time with effect for the future. The processing carried out before the withdrawal remains unaffected.

(x) You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates applicable law.

13. Subscribers of the GHST WhatsApp Channel

For interested individuals, it is possible to subscribe to our GHST WhatsApp channel. Meta Platforms Ireland Ltd. (‘Meta’) is responsible for the operation of the WhatsApp communication platform under data protection law. Information on data processing by WhatsApp can be found in Meta’s privacy information: https://www.whatsapp.com/legal/privacy-policy-eea?lang=de_DE. GHST has no influence on how Meta processes the data.

(i) The purpose of the processing is to provide information about GHST projects, events, calls for applications, and other activities via the GHST WhatsApp channel. A change of purpose is not planned.

(ii) The data processed by GHST as the controller are:

WhatsApp profile name of the subscriber
If applicable, the profile picture stored in WhatsApp (depending on individual privacy settings)
Reactions (e.g., emoji responses or participation in surveys within the channel)

The subscriber’s telephone number is not visible to us unless it is already stored in our contacts. Direct communication via WhatsApp (e.g., chat messages) does not take place.

(iii) The legal basis for the processing is our legitimate interest in using the WhatsApp communication channel for the provision of information (Art. 6 (1) (f) GDPR).

(iv) We receive the data when the data subject subscribes to the WhatsApp channel.

(v) The WhatsApp platform is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Meta processes personal data (e.g., connection data, profile information, device information) under its own responsibility. Data may be transferred to third countries, in particular the USA. Meta is certified under the EU‑US Data Privacy Framework.

(vi) GHST does not store or further process the data outside the WhatsApp channel. Posts, reactions, and survey results remain visible within the app for up to 30 days and are then automatically deleted by WhatsApp.

(vii) The provision of data is required to receive information via the WhatsApp channel.
Without a subscription, receiving the distributed content is not possible. Alternative information channels (e.g., newsletters, website) remain available.

Change Cookie Preferences