Privacy Police

We, the Hertie Foundation for Public Benefit (hereinafter "GHST"), Grüneburgweg 105, 60323 Frankfurt, provide information at this point about the processing of personal data carried out by us.

Our Data Protection Officer can be reached via email at ghst(at)daspro.de or by post at GHST DSB, daspro GmbH, Kurfürstendamm 21, 10719 Berlin.

Below, we have compiled the most important information on the typical data processing, divided according to the groups of data subjects. For certain data processing operations that only affect specific groups, the obligations to provide information are fulfilled separately.

If the term "data" is used in the text, this always refers exclusively to personal data within the meaning of the GDPR.

1. Visitors to the website

2. Participants in GHST projects and events

3. Participants in online events via Zoom

4. Participants in online events via Alfaview

5. Applicants for a GHST project or event

6. GHST Fellows/Alumni

7. Applicants for employment with GHST

8. Subscribers to the newsletter

9. Business partners and their employees

10. Interested parties and communication partners

11. Visitors to GHST's social media accounts

12. Rights of the data subjects and further information

1. Visitors to the website

1.1 Server log data

When using the website, the browser deployed on your device automatically sends certain information to the server of our website. This data is stored and processed on our server.

(i) We process the data listed below for the purpose of providing the content of the website you have accessed, ensuring the security of the IT infrastructure used, troubleshooting, enabling and simplifying the search on the website, and managing cookies. A change of this purpose is not planned.

(ii) The processed data is HTTP data: HTTP data is log data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, the operating system used, the accessed page, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also generated on servers of service providers (e.g., when third-party content is accessed).

(iii) The legal basis for processing is our legitimate interest in operating a web presence and exchanging with communication partners according to Art. 6 para. 1 lit. f) GDPR.

(iv) The data is automatically provided by the visitor's browser to the website.

(v) Recipients of the personal data are IT service providers, which we use within the framework of an agreement for processing orders.

(vi) IP addresses are anonymized no later than after 24 hours. Pseudonymous usage data is deleted after six months.

(vii) Without the provision of personal data such as the IP address, use of the website is not possible. Communication via the website without providing data is technically not possible.

1.2 Required Cookies - Google Tag Manager

We use cookies on our website. Cookies are small text files with information that can be stored on the user's device through the browser when visiting a website. When the website is accessed again with the same device, the information stored in the cookies can be read out and processed. We use processing and storage functions of your device's browser and collect information from your browser's storage.

We distinguish between required cookies, statistical cookies, marketing cookies, and multi- and social-media content from third parties in our privacy policy. Cookies technically necessary for the function of the website, so-called "required cookies", cannot be deactivated via the cookie management function of this website. However, you can deactivate cookies at any time in general in your browser. Different browsers offer different ways to configure the cookie settings in the browser. However, we would like to point out that possibly some functions of the website do not or no longer function properly if you generally deactivate cookies in your browser.

We use the Google Tag Manager on our website. The Google Tag Manager enables us to manage cookies and control their delivery. This allows us to implement your consent, a revocation of consent, or an opt-out, for example. The Google Tag Manager does not set its own cookies and does not process data stored in cookies.

(i) The purpose of the data processing is to control the delivery of cookies on our website and to ensure the security of the application. A change of this purpose is not planned.

(ii) The processed data is HTTP data. HTTP data is log data that is technically generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes IP address, type and version of your internet browser, the operating system used, the accessed page, the previously visited page (referrer URL), date and time of access. HTTP(S) data is also generated on servers of service providers (e.g., when third-party content is accessed). Your IP address is automatically anonymized during processing.

(iii) The legal basis for processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in the simple and reliable control of cookies.

(iv) The data is automatically provided by the user's browser.

(v) Recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, within the framework of processing orders.

(vi) IP addresses are anonymized no later than after 24 hours. Pseudonymous usage data is deleted after six months.

(vii) Without the provision of personal data such as the IP address, use of the website is not possible. Communication via the website without providing data is technically not possible.

1.3 Statistical Cookies – Google Analytics

We use cookies on our website. Cookies are small text files with information that can be stored on the user's device through the browser when visiting a website. When the website is accessed again with the same device, the information stored in the cookies can be read out and processed. We use processing and storage functions of your device's browser and collect information from your browser's storage.

We distinguish between required cookies, statistical cookies, marketing cookies, and multi- and social-media content from third parties in our privacy policy. Depending on their function and purpose of use, the use of certain cookies may require the user's consent. The granting of your consent takes place via a so-called "cookie banner": When calling up our website, we display our cookie banner. In our cookie banner, you can declare your consent for the use of all consent-requiring cookies on this website by pressing the "Select All" button. Without such consent, the consent-requiring cookies are not activated. By adjusting the individual sliders, you can also make differentiated settings regarding the individual cookies or completely reject all consent-requiring cookies and then confirm the selection made by clicking on the corresponding button. Your decision is stored in a cookie. Alternatively, you have the possibility to go to our "Cookie Dashboard" by clicking on the "Change Cookie Settings" button. In the Cookie Dashboard, you can make an individual selection of cookies and adjust it individually at a later date. We store your cookie settings in the form of a cookie on your device to determine whether you have already made cookie settings when you visit the website again.

If you have given your consent, we use the web analysis tool Google Analytics on our website. With the help of Google Analytics, we can investigate the user behavior of the visitors of our website in pseudonymized and anonymized form.

You can deactivate data processing by Google Analytics at any time in our "Cookie Dashboard". Alternatively, you can install a browser plug-in from Google, which prevents data collection by Google Analytics: tools.google.com/dlpage/gaoptout.

(i) The purpose of data processing is to analyze the user behavior of our website. A change of this purpose is not planned.

(ii) The processed data are:

- Google Analytics HTTP data: These are log data that technically arise when using the web analysis tool Google Analytics used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, operating system used, the accessed page, the previously visited page (referrer URL), date and time of retrieval.

- Google Analytics device data: Data generated by the web analysis tool Google Analytics and assigned to your device: This includes a unique ID for the (re-)recognition of recurring visitors (so-called "Client-ID") and certain technical parameters for controlling the data collection for the web analysis.

- Google Analytics measurement data: Device-related raw data (so-called "dimensions" and "measurements"), which are recorded and analyzed by the web analysis tool Google Analytics when using our web offer: This mainly includes information about the sources from which visitors come to our web offer, information about the location, the used browser and the used device, information about the use of the website (especially page views, call frequency and duration of stay on accessed pages) as well as information about the fulfillment of certain goals (especially transactions in the online shop). The data is each assigned to the Client-ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data are combined into one Client-ID. The data that we collect using Google Analytics do not allow us to identify you directly personally (i.e., based on your civil name). Without your consent, we do not combine the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally.

- Google Analytics report data: Data contained in aggregated segment and device-related reports created by the web analysis tool Google Analytics based on the analysis of the device-related raw data.

(iii) The legal basis for processing is Article 6 paragraph 1 lit. a GDPR (consent).

(iv) The data is automatically provided by the user's browser.

(v) The recipient of the data, within the scope of order processing, is Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland). Google Ireland Limited employs Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider. The basis for data processing in the USA is your consent given via the cookie banner (Art. 49 para. 1 lit. a) GDPR). In the USA, there is no level of data protection comparable to the requirements of the GDPR. It is possible that government agencies will access personal data without us or you knowing about it. It is likely that you will not be able to enforce your rights in the USA. You can revoke your consent at any time with future effect via the cookie dashboard.

(vi) The data is deleted after 6 months.

(vii) The provision of data is not legally or contractually required or necessary for a contract conclusion. There is no obligation for the data subject to provide the data. If the data is not provided, we cannot perform web analysis using Google Analytics.

1.4 Marketing Cookies - Facebook Pixel

We use cookies on our website. Cookies are small text files with information that can be stored on the user's device through the browser when visiting a website. When the website is called up again with the same device, the information stored in cookies can be read out and processed. We use processing and storage functions of your device's browser and collect information from your device's browser storage.

In the structure of our privacy policy, we distinguish between necessary cookies, statistics cookies, marketing cookies, and multi- and social media content from third parties. Depending on their function and purpose of use, the user's consent may be required for the use of certain cookies. Your consent is given via a so-called "cookie banner": When you call up our website, we display our cookie banner. In our cookie banner, you can declare your consent for the use of all consent-required cookies on this website by pressing the "Select All" button. Without such consent, the consent-required cookies are not activated. By setting the individual sliders, you can also make differentiated settings with regard to the individual cookies or completely reject all consent-required cookies and then confirm your "selection" by clicking on the corresponding button. Your decision is stored in a cookie. Alternatively, you can access our "Cookie Dashboard" by clicking on the "Change Cookie Settings" button. In the Cookie Board, you can make an individual selection of cookies and adjust it individually at a later time. We store your cookie settings in the form of a cookie on your device to determine whether you have already made cookie settings when you call up the website again.

If you have given your consent, we use the so-called "Facebook Pixel". In this case, cookies from Facebook Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland ("Facebook") are used. The "Facebook Pixel" enables Facebook, among other things, to collect information about the activities of users on our website. By integrating the "Facebook Pixel", we enable Facebook to collect personal data. The collection and processing of this data takes place after your consent exclusively in the area of responsibility of Facebook. We have no knowledge of the details of the processing of personal data in Facebook's area of responsibility or possible data processing in the USA. You can find information about Facebook's processing of personal data in Facebook's data policy: de-de.facebook.com/about/privacy/.

Facebook only provides us with the evaluations or additional information created based on the collected data in aggregated, anonymized form. We cannot associate the information provided to us with any natural person.

You can deactivate data processing by Google Facebook at any time in our "Cookie Dashboard". Alternatively, you can deactivate the Facebook Pixel for the browser you are currently using by disabling the storage of cookies in your browser settings.

(i) The purpose of the Facebook Pixel is to enable Facebook to collect and process user data on our website. The purposes of processing by Facebook are solely determined by Facebook (https://de-de.facebook.com/about/privacy/).

(ii) The data processed according to Facebook's information are:

■ Facebook Pixel HTTP Data

This refers to log data that technically arises when using the Facebook Pixel on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes the IP address, type and version of your internet browser, operating system used, the page accessed, the page visited before (referrer URL), date and time of retrieval.

■ Facebook Pixel Device Data

Data assigned to your device by the Facebook Pixel: This includes a unique ID for recognizing returning visitors.

■ Facebook Pixel Event Data

Data that Facebook collects through the Facebook Pixel by associating it with the unique visitor ID contained in the Facebook Pixel Device Data for the respective visitor: This includes actions that take place on the website (so-called "events"). For example, this includes the specific URL of the page that was visited on www.ghst.de.

This also includes information associated with the actions captured (so-called "parameters"). This includes, for example, whether the visitor has submitted the form to subscribe to the GHS newsletter.

■ Facebook Pixel Analysis Data

Data that Facebook generates based on the information collected through the Facebook Pixel, assigned to the unique visitor ID contained in the Facebook Pixel Device Data for the respective visitor: This includes information about the effectiveness of Facebook ads and user assignments to target groups for Facebook ads. Based on the information collected, Facebook may generate further data for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by Facebook.

(iii) The legal basis for enabling the collection of personal data via our website by Facebook is Article 6 (1) lit. a) GDPR (consent). We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of the data in Facebook's area of responsibility, especially about the legal basis used by Facebook for the processing.

(iv) The Facebook Pixel Analysis data is generated independently by Facebook. We do not know whether Facebook uses additional data sources.

(v) The recipient of the data collected via our website is Facebook Ireland Limited as the party responsible for the collection and processing of personal data. Facebook Ireland Limited uses the Facebook Inc. in the USA (1 Hacker Way, Menlo Park, CA 94025, USA) as a service provider. The basis for data processing in the USA is your consent given via the cookie banner (Art. 49 Para. 1 lit. a) GDPR). There is no level of data protection in the USA comparable to the requirements of the GDPR. It is possible that government agencies may access personal data without us or you becoming aware of it. It is unlikely that you will be able to enforce your rights in the USA. You can revoke your consent at any time with effect for the future via the cookie dashboard.

(vi) We do not collect or store this data ourselves. The collection and processing of this data takes place in the area of responsibility of Facebook. We have no knowledge of the storage duration.

(vii) The provision of data is not required by law or contract, or necessary for the conclusion of a contract. There is no obligation on the part of the data subject to provide the data. If the data is not provided, Facebook cannot offer the function of the Facebook Pixel.

(viii) We do not carry out automated decision-making in our area of responsibility. We have no knowledge of the details of the processing of the data in Facebook's area of responsibility, especially about any automated decision-making and possible data processing in the USA.

1.5 Multi and Social Media Content from Third Parties

We integrate multimedia content and content from social media platforms on our website if you have given your consent through our "cookie banner".

a) Soundcloud Embedding

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for "Soundcloud" in the category "Multi and Social Media Content from Third Parties" to play the content, you agree that we allow Soundcloud to collect data for its own purposes. The collection and processing of this data is exclusively in the responsibility of Soundcloud Limited, 20 Old Bailey, London, EC4M 7 AN, United Kingdom.

Our website then links audio files that are stored and accessible on Soundcloud. As soon as you activate the corresponding slider in the cookie banner or in the cookie dashboard, the file from Soundcloud is loaded. Technically, the same thing happens that would happen if you were to switch to the Soundcloud website via a link: Soundcloud receives all the information that your browser automatically transmits (including your IP address). Soundcloud also sets its own cookies on your device. This happens even if you do not have a Soundcloud user account. If you are logged into Soundcloud, your data will be directly associated with your account. If you do not want the association with your profile on Soundcloud, you must log out of Soundcloud before clicking on the audio file.

We have no knowledge of further details of the processing of personal data in the responsibility area of Soundcloud or of possible data processing in the USA. GHST has no influence on Soundcloud's data processing.

You can find information about the processing of personal data by Soundcloud in the Soundcloud privacy policy: soundcloud.com/pages/privacy

b) Podigee Podcast Hosting

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for "Podigee Podcast Hosting" in the category "Multi and Social Media Content from Third Parties" to play the podcast content, you agree that we allow Podigee to collect data for its own purposes. The collection and processing of this data is exclusively in the responsibility of Podigee GmbH, Schlesische Straße 20, 10997 Berlin.

Our website then links podcast files that are stored and accessible on Podigee. As soon as you activate the corresponding slider in the cookie banner or in the cookie dashboard, the file from Podigee is loaded. Technically, the same thing happens that would happen if you were to switch to the Podigee website via a link: Podigee receives all the information that your browser automatically transmits (including your IP address). Podigee also sets its own cookies on your device.

We have no knowledge of further details of the processing of personal data in the responsibility area of Podigee or of possible data processing in the USA. GHST has no influence on Podigee's data processing.

You can find information about the processing of personal data by Podigee in the Podigee privacy policy: www.podigee.com/de/about/privacy/

c) Youtube Embedding (Privacy mode) and Google Fonts

If you activate the corresponding slider in the cookie banner or in the cookie dashboard for "Youtube and Google Fonts" in the category "Multi and Social Media Content from Third Parties" to play the content, you agree that we allow Google as the provider of the Youtube service to collect data for its own purposes. The collection and processing of this data is exclusively in the responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider.

We then embed videos stored on YouTube on our website. Google Fonts content may also be included. With this embedding, contents of the YouTube website are displayed in parts of a browser window. However, the YouTube videos are only retrieved by clicking separately on the video. The embedding of YouTube content takes place in the so-called "extended privacy mode". This is provided by Google as the operator of YouTube, thus ensuring that no data is transmitted to Google before a click in the cookie banner or in the cookie dashboard to play the video and no cookies are stored on your device.

As soon as you activate the corresponding slider in the cookie banner or in the cookie dashboard, the video from YouTube is loaded. Technically, the same thing happens that would happen if you were to switch to the YouTube website via a link: YouTube receives all the information that your browser automatically transmits (including your IP address). YouTube also sets its own cookies on your device. This happens even if you do not have a YouTube user account. If you are logged into YouTube or Google, your data will be directly associated with your account. If you do not want the association with your user account at YouTube or Google, you must log out of YouTube and Google before clicking on the corresponding sliders in the cookie banner or in the cookie dashboard.

We have no knowledge of further details of the processing of personal data in the responsibility area of Google or of possible data processing in the USA. GHST has no influence on Google's data processing.

You can find information about the processing of personal data by Google in the Google privacy policy: https://policies.google.com/privacy;

d) Twitter Content

When you activate the appropriate slider in the cookie banner or in the cookie dashboard for "Twitter content" in the category "Multi- and Social Media Content from Third Parties" to display Twitter content, you agree that we allow Twitter to collect data for its own purposes. This is done by integrating content stored on Twitter into our website. In this integration, contents of the Twitter website are displayed in parts of a browser window. Before activating the corresponding fields in the cookie banner or in the cookie dashboard to display Twitter content, no data will be transmitted to Twitter and no cookies will be stored on your device.

As soon as you activate the appropriate sliders in the cookie banner or in the cookie dashboard to display Twitter content, the content from Twitter is loaded. Technically, the same thing happens as would happen if you were to switch to the Twitter website via a link: Twitter receives all the information that your browser automatically transmits (including your IP address). In addition, Twitter sets its own cookies on your device. This also happens if you do not have a Twitter user account. If you are logged into Twitter, your data will be directly associated with your account. If you do not wish to associate with your Twitter user account, you must log out of Twitter before activating the sliders in the cookie banner or in the cookie dashboard.

The collection and processing of this data takes place exclusively in the responsibility area of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. We have no knowledge of further details of the processing of personal data in the responsibility area of Twitter or of data processing in the USA. GHST does not influence the data processing by Twitter.

You can obtain information about the processing of personal data by Twitter in the Twitter data protection regulations: twitter.com/de/privacy

e) Yumpu Content

When you activate the appropriate slider in the cookie banner or in the cookie dashboard for "Yumpu" in the category "Multi- and Social Media Content from Third Parties" to display an animated PDF, you agree that we allow Yumpu to collect data for its own purposes. The collection and processing of this data takes place exclusively in the responsibility area of i-magazine AG, Gewerbestrasse 3, 9444 Diepoldsau, Switzerland.

When you call up an animated PDF (for example, an annual report) on our website, a connection is established to the servers of Yumpu in Switzerland. Calling up the online magazines requires Yumpu to perceive the IP address of the users, because without the IP address, the content can usually not be sent to your browser.

Further information about Yumpu can be found in the privacy policy of i-magazine AG: https://www.yumpu.com/de/info/privacy_policy

2. Participants in GHST Projects and Events

(i) We process your data for the purpose of carrying out the project and the event, as well as for documenting the project and the event through photo and audio recordings and using the resulting recordings for press and public relations work. Another purpose is to share participant data with the cooperation partners named in the context of each individual project and event for the purposes stated. A change in these purposes is not planned.

(ii) The data processed are participant data, which can vary from project to project/event to event. As a rule, however, these are the names and contact details of the participants and sometimes photos of the participants or individual project results. Further details are always provided in the context of the specific project or event.

(iii) The legal basis for the processing of data from participants in projects and events are Article 6(1)(b) GDPR (contract for the execution of the event) and Article 6(1)(c) GDPR (legal obligations, in particular tax and commercial law regulations). The legal basis for the making of photo and sound recordings is your consent according to Article 6(1)(a) GDPR and Article 6(1)(f) GDPR (legitimate interest in documenting the events or projects we have carried out and our legitimate interest in presenting GHST through press and public relations work). Consent is voluntary, participation in the event is possible without giving consent to take photos. In case of participants in projects and events who are under 16 years of age, the consent is given by the person responsible for parental responsibility or the granting of consent by the child with the consent of the person responsible for parental responsibility (Art. 8 para. 1 sentence 2 GDPR). The legal basis for the transfer of participant data to the cooperation partners named in the context of each individual project and event is Article 6(1)(f) GDPR (legitimate interest in carrying out the project or event).

(iv) Recipients of the photo and audio recordings can be anyone for the purpose of press and public relations work, in particular journalists, media companies, press and photo agencies, members, employees, website visitors, users of social media, and service providers within the scope of contract processing, in particular commissioned web hosting companies, IT and media service providers. Recipients of participant data are the cooperation partners named in the context of each individual project and event. Unless otherwise specified in the context of the respective project or event, the respective cooperation partners are independent controllers for the data processing. Further details on the data processing of the cooperation partners can be found in the privacy statements of the cooperation partners, which are given in the context of the respective project and the respective event.

(v) When publishing photo and audio recordings on the Internet (GHST website, GHST social media platforms, film recordings in videos (e.g. YouTube)), data is regularly transmitted to so-called third countries outside the European Union, which are considered insecure third countries from a data protection perspective. GHST has no influence on how the operators of social media handle the data. Whether and for what purposes the data is further processed in the third country is beyond GHST's knowledge.

(vi) Archived photo and audio recordings from the event as well as publications are usually not deleted. All contract and booking-relevant data are stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract. Other data collected during the event is deleted six months after the event.

(vii) The provision of data is contractually required for participation in events and projects. Without providing data, participation in events and projects is not possible. Making photo and audio recordings is not mandatory for participation in the event and projects. If you do not want photo and audio recordings, please inform our staff at the event location.

3. Participants in Online Events via Zoom

(i) We process the data of participants for the purpose of organizing, conducting and documenting the GHST online event via Zoom. If we specifically point this out in the context of the individual online events and obtain your consent, a recording of the online event and the publication of the recording on the website, the GHST YouTube channel or other specified channels will take place. A change in these purposes is not planned.

(ii) The data of the participants processed by GHST as the controller for the data processing in the context of the GHST online event via Zoom are:

■ Participant data

First and last name, email address

■ Zoom conference data

Meeting metadata: topic, IP address, device/hardware information

Phone data: If dialed in by phone, details of incoming and outgoing phone number, country name, start and end time, possibly other connection data.

■ Communication data

During the online event, your communication data in the form of questions, statements or votes, as well as chat contributions are processed. You always decide for yourself whether and in what form you want to participate.

■ Photo, sound and video data (and recordings if consented)

During the online event via Zoom, photo, sound and video data of the participants are processed.

Each person can always freely decide whether they want to turn on their camera and microphone, or whether they only want to communicate via the chat window.

If we have obtained your consent in this regard, a recording of the online event including the film, sound and video data of the participants will take place.

■ Payment data (only for paid online events)

For paid online events, we also process payment data.

(iii) The legal basis for processing data from participants for the implementation of the online event via Zoom is your consent according to Article 6 paragraph 1 lit. a) GDPR. The legal basis for the production and publication of recordings on the GHST website or other specified channels is also your consent according to Article 6 paragraph 1 lit. a) GDPR.

(iv) You can withdraw the given consent at any time with effect for the future. The revocation does not affect the legality of the processing carried out before the revocation. Therefore, already made publications (e.g., on websites or on social media) will not be deleted.

(v) The participant data and payment data were actively provided by the data subject during registration for the GHST online event. The Zoom conference data is actively provided by the data subject themselves or automatically by the browser or the end device of the data subject. The photo, sound, or video data and communication data are automatically collected; the recordings of the photo, sound, and video data are made by GHST.

(vi) The participant data (and payment data) will be deleted after 10 years (legal retention periods due to participation in the online event). The Zoom conference data and communication data are usually deleted three months after the GHST online event, unless otherwise indicated during the individual event. The photo, sound, and video data, the corresponding recordings, and the selected archived material are not deleted. However, the excess raw material from the recordings is deleted 3 months after the online event. Furthermore, you can request the deletion of your personal data at any time, unless we are legally or contractually obliged or entitled to further processing of the data.

(vii) Recipients of the name, communication data, and photo, sound, and video data are always the moderators and the other participants of the respective GHST online event. We also use service providers in the course of order processing, in particular for the provision, maintenance, and care of IT systems, in particular the service provider Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. In the USA, there is no data protection level comparable to the GDPR. It is possible that government agencies may access personal data without us or you knowing about it. Enforcement of your rights is likely not possible in the USA. We have concluded the EU standard contractual clauses (2021/914; Module 2) with Zoom and agreed on additional security measures. You can request a copy of the main contractual content of the standard contractual clauses at any time. In addition, we have prudently obtained your consent (Art. 49 paragraph 1 lit. a) GDPR). You can revoke your consent at any time with effect for the future via the contact address provided.

If you create your own profile during registration on Zoom and register accordingly, the processing of this personal data is the sole responsibility of Zoom Video Communications, Inc. We have no knowledge of further details of data processing by Zoom Video Communications, Inc. and data processing in the USA.

You can find more information about data processing by Zoom Video Communications, Inc. in the privacy policy: zoom.us/privacy

Recipients of the published photo, sound, and film recordings including the name of the participants can be anyone, especially journalists, press agencies, members, employees, visitors to the website, users of social media, etc., and service providers within the framework of order processing, in particular commissioned web hosting companies and IT and media service providers.

When publishing recordings on the internet (GHST websites, videos on e.g. YouTube), data is regularly transferred to so-called third countries outside the European Union, which are considered unsafe third countries from a data protection perspective. GHST has no influence on how the operators of social media handle the data. GHST does not know whether and for what purposes the data is further processed in the third country.

4. Participants in online events via Alfaview

(i) We process the data of participants for the purpose of organizing, implementing, and documenting the GHST online event via Alfaview. If we separately point this out and obtain your consent during the individual online events, a recording of the online event is made and the recording is published on the website, the GHST YouTube channel, or other separately indicated channels. A change of these purposes is not planned.

(ii) The processed data are:

a) For registered users of Alfaview

■ Access data from registered users such as name and email address

■ Optionally, users can also provide additional information in the user profile such as title, initials, location

b) Users via guest link invitations

■ Name or pseudonym or in the case of an individualized guest link name and email address

c) General

■ Meeting metadata: Topic, IP address, device/hardware information

■ Communication data

During the online event, your communication data in the form of questions, statements, or votes, as well as chat contributions, are processed. You always decide for yourself whether and in what form you want to participate.

■ Photo, sound, and video data (and corresponding recordings with consent)

During the online event via Alfaview, photo, sound, and video data from participants are processed.

However, each person can always freely decide whether they want to turn on their camera and microphone or whether they want to communicate via the chat window only.

If we have obtained your corresponding consent, a recording of the online event, including the film, sound, and video data of the participants, is made.

■ Payment data (only for paid online events)

For paid online events, we also process payment data.

(iii) The legal basis for processing data from adult participants for the conduct of the online event via Alfaview is our legitimate interest in the conduct and implementation of the respective online event according to Article 6 (1) lit. f) GDPR. Insofar as it concerns underage participants in the online event, consent is obtained from the person holding parental responsibility or the granting of the child's consent with the agreement of the person holding parental responsibility (Art. 8 Para. 1 Sentence 2 GDPR). The legal basis for the creation and publication of recordings on the GHST website or on other specified channels is only given in the case of corresponding consent according to Article 6 (1) lit. a) GDPR.

(iv) You can revoke the given consent at any time with effect for the future. The revocation does not affect the legality of the processing carried out before the revocation. Therefore, publications that have already been made (e.g. on websites or on social media will not be deleted).

(v) The participant data and payment data were actively provided by the data subject during registration for the GHST online event. The meeting metadata are automatically provided by the browser or the end device of the data subject. The photo, audio, or video data and communication data are automatically collected, the recordings of the photo, audio, and video data are made by GHST.

(vi) The participant data (and payment data) will be deleted after 10 years (statutory retention periods due to participation in the online event). The communication data and other data are usually deleted three months after the GHST online event has been held, unless something else is specified for each event. The photo, audio, and video data, the corresponding recordings and the selected archived material are not deleted. However, the excess raw material from the recordings is deleted 3 months after the online event. In addition, you can request the deletion of your personal data at any time, unless we are legally or contractually obliged or entitled to further process the data.

(vii) The recipients of the name, communication data, and photo, sound, and video data are always the moderators as well as the other participants of the respective GHST online event. We also use service providers in the course of order processing to provide services, in particular for the provision, maintenance, and care of IT systems, in particular the service provider Alfaview GmbH, Kriegsstr. 100, 76133 Karlsruhe.

The recipient of the published photo, audio, and film recordings incl. name of the participant can be anyone, in particular journalists, press agencies, members, employees, visitors to the website, users of social media, etc., as well as service providers as part of order processing, in particular commissioned web hosting companies and IT and media service providers.

When publishing recordings on the internet (GHST websites, videos on e.g. YouTube), data is regularly transferred to so-called third countries outside the European Union, which are considered insecure third countries under data protection law. GHST has no influence on how the operators of social media handle the data. Whether and for what purposes the data are further processed in the third country is beyond GHST's knowledge.

(viii) The provision of data is contractually obligatory for participation in online events. Without the provision of data, participation in online events is not possible. The release of communication, photo, audio, and video data and the recording of photo, audio, and video data is not mandatory for participation in online events.

5. Applicants for a project or an event of GHST

(i) The purposes of data processing are the implementation of the application process and the selection of participants for the respective project or event of GHST. A change in these purposes is not planned.

(ii) The legal basis for data processing is the initiation of a contract for participation in the project or event (Article 6 (1) lit. b) GDPR). If you do not apply directly yourself but are suggested, for example, then the legal basis is the legitimate interest of GHST in knowing the suggested persons for the respective project and their professional qualification (Article 6 (1) lit. f) GDPR).

(iii) The personal data are internally passed on to the responsible employees. In addition, the data are partly passed on to an expert commission and to project partners during the application process. In addition, we use service providers in the course of order processing service providers in the selection processes, as well as for the provision, maintenance, and care of IT systems.

(iv) The applicant data for the degree programs, research, and training events are deleted 6 months after the end of the application process. All contract and booking relevant data are stored for ten calendar years after the end of the contract in accordance with tax and commercial law retention periods.

(v) Without the data, participation in the application processes for GHST projects and events is not possible.

6. GHST Fellows/Alumni

(i) The purpose of processing is to participate in GHST's Fellows/Alumni programs and their organization and documentation. A change to this purpose is not planned.

(ii) The processed data are:

■ Master data, name, gender, title, contact details (electronic, postal), birthday, nationality, affiliation to GHST

■ Information on profession, qualifications, education and CV, areas of interest, self-description

■ Photographic images and independently generated content (pictures, comments, posts)

■ Bank details (e.g., for donations)

■ Applications, registration data for events (e.g., meal preferences)

(iii) The legal basis for processing is your consent to participate in the GHST Fellows/Alumni Program in accordance with Article 6 (1) (a) GDPR and Article 6 (1) (c) GDPR (legal obligations, in particular tax and commercial law regulations).

(iv) Recipients of the data may be other participants in the GHST's Fellows/Alumni programs for networking purposes. We use service providers in the course of contract processing to provide services, especially for the provision, maintenance, and care of IT systems.

(v) The data of the Fellows/Alumni Program participants will only be deleted when they unsubscribe from the Fellows/Alumni Program.

(vi) Without this data, participation in the GHST's Fellows/Alumni program is not possible.

7. Applicants for employment at GHST

(i) The purpose of data processing is applicant selection for employment. A change to this purpose is not planned.

(ii) The legal basis is § 26 BDSG in conjunction with Art. 6 para. 1 lit. b) (initiation of the employment contract) and Art. 88 GDPR. We process voluntary information within the framework of your application on the basis of § 26 para. 2 BDSG in conjunction with Art. 6 para. 1 lit. a) (consent) and Art. 88 GDPR.

(iii) Applicant data is forwarded internally to the responsible employees. We use service providers in the course of contract processing to provide services, especially for the provision, maintenance, and care of IT systems.

(iv) Applicant data is deleted six months after the end of the specific application process. If an interest in other positions is expressed, the data remains stored for up to 12 months after the last job offer or the last concrete expression of interest.

(v) The provision of data is necessary for applicants. Without data, an application is not possible.

8. Newsletter subscribers

(i) The purpose of processing is the sending of newsletters. A change to this purpose is not planned.

(ii) The legal basis for processing data for newsletters is your consent (Article 6 (1) (a) GDPR). In the case of newsletter recipients who are under 16 years of age, consent is given by the holder of parental responsibility or the child's consent is given with the approval of the holder of parental responsibility (Article 8 (1) sentence 2 GDPR).

(iii) We use service providers in the course of contract processing to provide services, especially for the provision, maintenance, and care of IT systems.

(iv) Newsletter data is deleted when unsubscribed.

(v) The provision of data is mandatory for receiving newsletters. Without data, newsletters cannot be sent.

9. Business partners and their employees

(i) The purpose of processing is the preparation and implementation of contracts as well as communication with employees of business partners. A change to this purpose is not planned.

(ii) The legal basis for processing is, in the case of contracts with natural persons, Article 6 (1) (b) GDPR (preparation and implementation of the contract), in the case of contracts with legal persons, Article 6 (1) (f) GDPR (legitimate interest, namely communication with contract-relevant contacts), as well as always Article 6 (1) (c) GDPR (legal obligations, in particular tax and commercial law regulations).

(iii) Recipients of the data can be banks for the processing of payments. Authorities and offices can be recipients as part of their tasks, insofar as we are obliged or entitled to transmit data. We also use service providers in the course of contract processing for the provision of services, especially for the provision, maintenance, and care of IT systems.

(iv) All contract and booking relevant data are stored for a period of ten calendar years after the end of the contract in accordance with tax and commercial law retention periods.

(v) The provision of data is both a legal and contractual obligation for business partners and their employees. Without the provision of data, the business relationship cannot be established and carried out.

10. Interested Parties and Communication Partners

(i) The purpose of the processing is to communicate with interested parties and communication partners of the GHST. A change to this purpose is not planned.

(ii) The legal basis for the processing of interested parties and other communication partners is Art. 6 para. 1 lit. f) GDPR (legitimate interest, namely communication with interested parties and communication partners).

(iii) We forward inquiries internally to the responsible employees. We also use service providers in the course of order processing for the provision of services, in particular for the provision, maintenance, and care of IT systems.

(iv) Inquiries and communication are automatically deleted after ten calendar years.

(v) The provision of data is necessary for interested parties and communication partners. Without the provision of data, communication is not possible.

11. Visitors of GHST's Social Media Accounts

11.1 General Information

GHST operates several social media accounts. The respective social media platforms are operated by service providers who process the data that arise in the course of the technical operation of the social media platform.

(i) The purpose of data processing on our social media accounts is to provide you with interesting content and to interact with you on social media platforms.

(ii) The data processed are content and usage data on such social media accounts.

(iii) Information and data displayed or shared on the GHST social media account may be accessible to the respective provider of the social media platform, its users, and GHST (or contracted service providers).

(iv) Further details on data processing on the respective social media accounts can be found on the respective social media platforms and in this privacy information.

11.2 Tool for managing and monitoring social media content (Hootsuite)

GHST uses the tool Hootsuite to control and monitor social media content on the respective social media accounts.

1. The purpose of data processing is the control and monitoring of content on GHST's social media accounts, through which we provide visitors with information about GHST's offerings and programs. A change to these purposes is not planned.

2. The processed data are:

- User Generated Content

  Content created by the users (e.g., messages, postings, comments, feeds on the social media accounts). These are data for which the respective users themselves decide to publish them on the public social media networks. These data can thus also include special categories of personal data according to Art. 9 GDPR, according to the user's own decision.

- Name and/or contact details of the users

3. The legal basis for the processing of the data is Art. 6 para. 1 lit. f) GDPR (legitimate interest, namely in the control and monitoring of the GHST social media account in an efficient and professional manner). The legal basis for the processing of Art. 9 GDPR data is the publication by the data subject (Art. 9 para. 1 lit. e) GDPR).

4. Name and contact data as well as User Generated Content are actively provided by the data subject.

5. The recipient of the name and User Generated Content can be anyone, as these are public content on social media channels that the users publish independently. We also use service providers in the course of order processing, in particular for the provision, maintenance, and care of IT systems, especially the service providers Hootsuite Inc. 111 East 5th Avenue, Vancouver, BC, Canada V5T 4L1. Hootsuite itself may use subcontractors in the USA. In the USA, there is no data protection level comparable to the requirements of the GDPR. It is possible that governmental authorities may access personal data without us or you becoming aware of it. Enforcement of your rights in the USA is likely not possible. Hootsuite has concluded the EU standard contractual clauses (2021/914; Module 2) and agreed additional security measures. You can request a copy of the essential contractual content of the standard contractual clauses at any time.

6. The data is stored only for the duration of the processing sessions of the GHST employee(s). Event data, for example, comments in which the users link the GHST, can only be processed by GHST as long as the event - here the link - exists. We point out that User Generated Content can be deleted independently by the users at any time.

7. The provision of the data is not mandatory. Without the provision of data, GHST cannot carry out social media monitoring and cannot respond to the comments and content of the users.

11.3 Facebook

We and Facebook (for users in the EU/EEA: Facebook Ireland Ltd. (Facebook), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for the processing of personal data via the GHST Facebook page. The agreement on shared responsibility can be accessed at: www.facebook.com/legal/controller_addendum. According to the agreement, Facebook is responsible for informing the affected individuals about the processing activities. Facebook's privacy policy can be found at: www.facebook.com/privacy/explanation. Affected individuals can assert their rights against each of the data controllers, GHST and/or Facebook. For more information about the data that Facebook shares with GHST, please visit www.facebook.com/business/learn/facebook-page-insights-basics.

11.4 Instagram

We and Instagram (for users in the EU/EEA provided by Facebook Ireland Ltd. (Facebook), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) are jointly responsible for the processing of personal data via the GHST Instagram page. The agreement on shared responsibility can be accessed at: www.facebook.com/legal/controller_addendum. According to the agreement, Instagram (provided by Facebook) is responsible for informing the affected individuals about the processing. Instagram's privacy policy can be found at: help.instagram.com/519522125107875. Affected individuals can assert their rights against each of the data controllers, GHST and/or Instagram (provided by Facebook). For more information about the data that Instagram shares with GHST, please visit de-de.facebook.com/help/nstagram/788388387972460.

11.5 Youtube

We operate a social media page on the YouTube platform. The collection and processing of this data is solely the responsibility of Google (for EU/EEA Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider). Further details of the processing of personal data in the area of Google's data control or any possible data processing in the USA are not known to us. GHST has no influence on Google's data processing. Information on the processing of personal data by Google can be found in Google's privacy policy: policies.google.com/privacy.

11.6 Twitter

We operate a social media page on Twitter (by Twitter, Inc., 1355 Market Street, Suite 900 San Francisco, CA 94103, USA). For users in the EU/EEA, the privacy addendum between Twitter and GHST applies: gdpr.twitter.com/en/controller-to-controller-transfers.html. According to the agreement, the collection and processing of this data is solely the responsibility of Twitter. Twitter's privacy policy can be found at: twitter.com/en/privacy.

12. Rights of the data subjects and further information

(i) We do not use automated individual decision-making procedures.

(ii) You have the right at any time to request information about all personal data that we process from you.

(iii) If your personal data is incorrect or incomplete, you have the right to rectification and completion.

(iv) You can request the deletion of your personal data at any time, unless we are legally obliged or authorized to continue processing your data.

(v) If the legal requirements are met, you can request a restriction on the processing of your personal data.

(vi) You have the right to object to processing if the data processing is for the purpose of direct marketing or profiling.

(vii) If processing is based on a balance of interests, you can object to the processing, stating reasons that arise from your particular situation.

(viii) If the data processing is based on your consent or within the framework of a contract, you have a right to the transfer of the data provided by you, provided that this does not affect the rights and freedoms of other persons.

(ix) If we process your data on the basis of a declaration of consent, you have the right at any time to revoke this consent with effect for the future. The processing carried out before a revocation remains unaffected by the revocation.

(x) You also have the right to lodge a complaint with a data protection supervisory authority at any time if you believe that data processing has occurred in violation of applicable law.

As of: July 2022