With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also briefly referred to as “data”) we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both within the framework of providing our services and in particular on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).
The terms used are not gender-specific.
Status: July 24, 2024
Aab Humanitarian Association gGmbH
c/o Law Office Heinrich
Spichernstr. 2, 10777 Berlin
Germany
Managing Director: Vesna Donic
E-Mail: office@aab-human.de
Commercial Register Number: HRB 262566 B, District Court Charlottenburg
Tax Number: 27/611/83895, Tax Office for Corporations in Berlin
VAT ID: DE367305116
Contact for Data Protection Officer:
You can reach our Data Protection Officer at: datenschutz@aab-human.de
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the affected persons.
Inventory data
Payment data
Contact data
Content data
Contract data
Usage data
Meta-/Communication data
Customers
Interested parties
Communication partners
Users
Provision of contractual services and customer service
Contact inquiries and communication
Direct marketing
Reach measurement
Feedback
Marketing
Profiles with user-related information
Provision of our Online Offer and user-friendliness
Below you will find an overview of the legal bases of the GDPR, on the basis of which we process personal data.
Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence.
If more specific legal bases are applicable in individual cases, we will inform you of them in this privacy policy.
Consent (Art. 6 (1) (a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR): The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 (1) (f) GDPR): The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In addition to the data protection regulations of the General Data Protection Regulation (GDPR), national data protection provisions in Germany apply.
These include, in particular, the Federal Data Protection Act (BDSG).
The BDSG contains specific regulations, especially concerning the right of access, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission as well as automated individual decision-making including profiling.
Furthermore, state data protection laws of individual federal states may apply.
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of the processing as well as the varying likelihoods and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, securing of availability, and separation concerning the data.
Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the deletion of data, and reactions to data threats.
Additionally, we consider the protection of personal data already in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and data protection-friendly default settings.
If IP addresses are processed by us or by the service providers and technologies we use, and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as “IP masking”).
In this process, the last two digits, or the last part of the IP address after a dot, are removed or replaced by placeholders.
The purpose of IP address shortening is to prevent or significantly complicate the identification of a person based on their IP address.
To protect the data you transmit via our Online Offer, we use SSL encryption.
You can recognize such encrypted connections by the prefix “https://” in the address line of your browser.
In the course of our processing of personal data, it may happen that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them.
The recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content that are integrated into a website.
In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.
We may transmit personal data to other entities within our organization or grant them access to this data.
If this transmission is for administrative purposes, the transmission of the data is based on our legitimate business and operational interests or occurs when it is necessary for the fulfillment of our contractual obligations or if consent from the data subjects or another legal authorization is present.
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place within the framework of the use of third-party services or the disclosure or transmission of data to other persons, entities, or companies, this will only occur in accordance with the legal requirements.
Subject to explicit consent or contractual or legally required transmission, we process or allow the data to be processed only in third countries with a recognized level of data protection, a contractual obligation through so-called standard contractual clauses of the EU Commission, the existence of certifications, or binding internal data protection rules (Articles 44 to 49 GDPR, information page of the EU Commission: Link).
The data processed by us will be deleted in accordance with the legal requirements as soon as the consents permitting processing are revoked or other authorizations cease to apply (e.g., when the purpose of processing this data no longer exists or it is no longer necessary for the purpose).
Unless the data is deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes.
That is, the data is blocked and not processed for other purposes.
This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.
Our data protection notices may also contain further details on the retention and deletion of data that apply primarily to the respective processing.
Cookies are small text files or other storage markers that store information on end devices and retrieve information from the end devices.
For example, to save the login status in a user account, the content of a shopping cart in an e-shop, the accessed content, or the used functions of an online offer.
Cookies can also be used for different purposes, e.g., for the functionality, security, and convenience of online offers as well as for the creation of analyses of visitor flows.
We use cookies in accordance with the legal provisions.
Therefore, we obtain prior consent from users, unless it is not required by law.
Consent is particularly not required if the storage and the reading of information, thus also of cookies, are absolutely necessary to provide the users with a telemedia service (i.e., our online offer) that they have explicitly requested.
The revocable consent is clearly communicated to the users and contains information about the respective use of cookies.
Notes on the Legal Basis under Data Protection Law
The legal basis on which we process personal data of users with the help of cookies depends on whether we ask users for their consent.
If users consent, the legal basis for the processing of their data is the declared consent (Art. 6(1)(a) GDPR).
Otherwise, the data processed with the help of cookies are based on our legitimate interests (e.g., in a business operation of our online offer and its improvement of usability) (Art. 6(1)(f) GDPR) or, if the use of cookies is necessary, to fulfill our contractual obligations (Art. 6(1)(b) GDPR).
For which purposes the cookies are processed by us, we inform in the course of this privacy policy or within the scope of our consent and processing processes.
Regarding the storage duration, the following types of cookies are distinguished:
Temporary Cookies (also: Session Cookies):
Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application).
Permanent Cookies:
Permanent cookies remain stored even after closing the end device.
For example, the login status can be saved or preferred content can be displayed directly when the user revisits a website.
Likewise, user data collected via cookies can be used for reach measurement.
Unless we provide users with explicit information about the type and storage duration of cookies (e.g., in the context of obtaining consent), users should assume that cookies are permanent and that the storage duration can be up to two years.
Users can revoke their given consent at any time and also object to the processing according to the legal requirements of Art. 21 GDPR.
Users can also declare their objection via the settings of their browser, e.g., by deactivating the use of cookies (although this may also restrict the functionality of our online services).
An objection to the use of cookies for online marketing purposes can also be declared via the websites:
Within the framework of contractual and other legal relationships, due to legal obligations, or otherwise on the basis of our legitimate interests, we offer efficient and secure payment options to the data subjects and use other service providers in addition to banks and credit institutions (collectively referred to as “payment service providers”).
The data processed by the payment service providers includes:
Inventory data, such as name and address,
Bank data, such as account numbers or credit card numbers,
Passwords, TANs, and checksums,
as well as contract, amount, and recipient-related information.
These details are necessary to carry out the transactions.
However, the entered data is only processed and stored by the payment service providers.
That is, we do not receive any account or credit card-related information, but only information confirming or rejecting the payment.
Under certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies.
This transmission is intended to check identity and creditworthiness.
In this regard, we refer to the general terms and conditions and data protection information of the payment service providers.
For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications.
We also refer to them for further information and the assertion of revocation, information, and other rights of data subjects.
Inventory data (e.g., names, addresses)
Payment data (e.g., bank connections, invoices, payment history)
Contract data (e.g., contract subject matter, duration, customer category)
Usage data (e.g., visited websites, interest in content, access times)
Meta-/communication data (e.g., device information, IP addresses)
Customers
Interested parties
Provision of contractual services and customer service
Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR)
Klarna / Sofortüberweisung:
Payment services (technical connection of online payment methods);
Service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden;
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR);
Website: https://www.klarna.com/de;
Privacy policy: https://www.klarna.com/de/datenschutz.
Mastercard:
Payment services (technical connection of online payment methods);
Service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium;
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR);
Website: https://www.mastercard.de/de-de.html;
Privacy policy: https://www.mastercard.de/de-de/datenschutz.html.
PayPal:
Payment services (technical connection of online payment methods) (e.g., PayPal, PayPal Plus, Braintree);
Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg;
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR);
Website: https://www.paypal.com/de;
Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
We use blogs or comparable means of online communication and publication (hereinafter referred to as “publication media”).
The data of the readers is only processed for the purposes of the publication medium insofar as it is necessary for its presentation and communication between authors and readers or for security reasons.
Otherwise, we refer to the information regarding the processing of visitors to our publication medium within the framework of this privacy policy.
Inventory data (e.g., names, addresses)
Contact data (e.g., email, telephone numbers)
Content data (e.g., entries in online forms)
Usage data (e.g., visited websites, interest in content, access times)
Meta-/Communication data (e.g., device information, IP addresses)
Users (e.g., website visitors, users of online services)
Provision of contractual services and customer service
Feedback (e.g., collection of feedback via online form)
Provision of our Online Offer and user-friendliness
Legitimate interests (Art. 6(1)(f) GDPR)
We send newsletters, emails, and other electronic notifications (hereinafter “newsletter”) only with the consent of the recipients or legal permission.
If the contents of the newsletter are specifically described within the framework of a registration, they are decisive for the user’s consent.
Otherwise, our newsletters contain information about our services and ourselves.
To register for our newsletters, it is generally sufficient to provide your email address.
However, we may ask you to provide a name for personal addressing in the newsletter or other information, if necessary for the purposes of the newsletter.
The registration for our newsletter generally takes place in a so-called double-opt-in procedure.
This means that after registration, you will receive an email asking you to confirm your registration.
This confirmation is necessary so that no one can register with foreign email addresses.
The newsletter registrations are logged in order to be able to prove the registration process according to the legal requirements.
This includes the storage of the registration and confirmation time as well as the IP address.
Likewise, changes to your data stored with the shipping service provider are logged.
We can store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove previously given consent.
The processing of this data is limited to the purpose of a possible defense against claims.
An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.
In case of obligations to permanently observe objections, we reserve the right to store the email address in a block list (so-called “blocklist”) for this purpose alone.
The logging of the registration process is based on our legitimate interests for the purposes of proof of its proper execution.
If we commission a service provider with the dispatch of emails, this is done based on our legitimate interests in an efficient and secure dispatch system.
Information about us, our services, actions, and offers
Inventory data (e.g., names, addresses)
Contact data (e.g., email, telephone numbers)
Meta-/Communication data (e.g., device information, IP addresses)
Usage data (e.g., visited websites, interest in content, access times)
Communication partners
Direct marketing (e.g., by email or postal mail)
Consent (Art. 6(1)(a) GDPR)
You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt.
A link to cancel the newsletter can be found either at the end of each newsletter or you can use one of the above-mentioned contact options, preferably by email.
The newsletters contain a so-called “web beacon,” i.e., a pixel-sized file that is retrieved from our server or, if we use a shipping service provider, from their server when opening the newsletter.
As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, are initially collected.
This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or access times.
Consent (Art. 6(1)(a) GDPR)
Web analysis (also referred to as “reach measurement”) serves to evaluate the visitor flows of our Online Offer and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values.
With the help of reach analysis, we can recognize, for example, at what time our Online Offer or its functions or content are most frequently used or invite reuse.
Likewise, we can understand which areas need optimization.
In addition to web analysis, we can also use testing procedures, for example, to test and optimize different versions of our Online Offer or its components.
Unless otherwise stated below, profiles may be created for these purposes, i.e., summarized data on a usage process, and information may be stored in a browser or on an end device and read from it.
The collected information includes, in particular, the visited websites and elements used there as well as technical information such as the used browser, the used computer system, and information on usage times.
If users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed.
The IP addresses of users are also stored.
However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users.
Generally, no clear data of the users (such as email addresses or names) is stored within the scope of web analysis, A/B testing, and optimization, but pseudonyms.
That is, neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.
Usage data (e.g., visited websites, interest in content, access times)
Meta-/Communication data (e.g., device information, IP addresses)
Users (e.g., website visitors, users of online services)
Reach measurement (e.g., access statistics, recognition of returning visitors)
Profiles with user-related information (creating user profiles)
IP masking (pseudonymization of the IP address)
Legitimate interests (Art. 6(1)(f) GDPR)
Matomo is privacy-friendly web analysis software that is used without cookies and with which the recognition of returning users is carried out using a so-called “digital fingerprint,” which is stored anonymously and changed every 24 hours.
The “digital fingerprint” collects user movements within our Online Offer using pseudonymized IP addresses in combination with user-side browser settings so that conclusions about the identity of individual users are not possible.
The data collected within the use of Matomo by users is only processed by us and is not shared with third parties.
Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR)
Website: https://matomo.org/
We maintain online presences within social networks and process user data within this context to communicate with users active there or to offer information about us.
We point out that in doing so, data of users may be processed outside the area of the European Union.
This can result in risks for users because, for example, the enforcement of user rights could be made more difficult.
Furthermore, user data within social networks is usually processed for market research and advertising purposes.
For example, usage profiles can be created based on usage behavior and resulting user interests.
The usage profiles can in turn be used to place advertisements inside and outside the networks, which presumably correspond to the interests of the users.
For these purposes, cookies are usually stored on the users’ computers, in which the usage behavior and the interests of the users are stored.
Furthermore, data can be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).
For a detailed description of the respective processing and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.
In the case of information requests and the assertion of data subject rights, we also point out that these can be asserted most effectively with the providers.
Only the providers have access to the users’ data and can take appropriate measures directly and provide information.
Contact data (e.g., email, telephone numbers)
Content data (e.g., entries in online forms)
Usage data (e.g., visited websites, interest in content, access times)
Meta-/Communication data (e.g., device information, IP addresses)
Users (e.g., website visitors, users of online services)
Contact inquiries and communication
Feedback (e.g., collection of feedback via online form)
Marketing
Legitimate interests (Art. 6(1)(f) GDPR)
Social network;
Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA;
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://www.instagram.com;
Privacy policy: https://instagram.com/about/legal/privacy
Profiles within the social network Facebook — we are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (“fan page”).
This data includes information about the types of content users view or interact with, or actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook Data Policy: https://www.facebook.com/policy).
As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called “Page Insights” to page operators so that they can gain insights about how people interact with their pages and associated content.
We have entered into a specific agreement with Facebook (“Information about Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which, in particular, stipulates what security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address information or deletion requests directly to Facebook).
The rights of users (especially to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook.
Further information can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).
Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://www.facebook.com;
Privacy policy: https://www.facebook.com/about/privacy;
Standard Contractual Clauses (guaranteeing data protection when processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum
Social network;
Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland;
Parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA;
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR);
Privacy policy: https://twitter.com/privacy;
Settings: https://twitter.com/personalization
Social network and video platform;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR);
Privacy policy: https://policies.google.com/privacy;
Opt-out options: https://adssettings.google.com/authenticated
We integrate functional and content elements into our Online Offer that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”).
This may, for example, involve graphics, videos, or city maps (hereinafter uniformly referred to as “content”).
The integration always presupposes that the third-party providers of this content process the IP addresses of the users, since they could not send the content to their browsers without the IP address.
Thus, the IP address is required for the display of this content or functions.
We strive to use only content whose respective providers use the IP address solely for the delivery of the content.
Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes.
By the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated.
The pseudonymous information may also be stored in cookies on the user’s device and contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our Online Offer, as well as be linked to such information from other sources.
Usage data (e.g., visited websites, interest in content, access times)
Meta-/Communication data (e.g., device information, IP addresses)
Users (e.g., website visitors, users of online services)
Provision of our Online Offer and user-friendliness
Legitimate interests (Art. 6(1)(f) GDPR)
Fonts (“Google Fonts”) for the purpose of a user-friendly display of our Online Offer;
Service provider: The Google Fonts are hosted on our server, and no data is transmitted to Google;
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR)
We ask you to regularly inform yourself about the content of our privacy policy.
We adjust the privacy policy as soon as the changes to the data processing carried out by us make this necessary.
We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and ask you to verify the information before contacting.
As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:
Right to Object:
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions.
If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is associated with such direct marketing.
Right to Withdraw Consent:
You have the right to withdraw your consent at any time.
Right of Access:
You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with the legal requirements.
Right to Rectification:
You have the right to request the completion of data concerning you or the correction of incorrect data concerning you in accordance with the legal requirements.
Right to Erasure and Restriction of Processing:
You have the right, in accordance with the legal requirements, to request that data concerning you be deleted immediately, or alternatively, to request a restriction of the processing of the data according to the legal requirements.
Right to Data Portability:
You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller.
Right to Lodge a Complaint with a Supervisory Authority:
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the requirements of the GDPR.
In this section, you will find an overview of the terms used in this privacy policy.
Many of the terms are taken from the law and are defined in particular in Art. 4 GDPR.
The legal definitions are binding.
The following explanations, however, are primarily intended to aid understanding.
The terms are sorted alphabetically.
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing of “profiles with user-related information” or “profiles” means any kind of automated processing of personal data consisting of using this personal data to evaluate, analyze, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.).
Cookies and web beacons are often used for the purposes of profiling.
The reach measurement (also referred to as web analytics) serves to evaluate the visitor flows of an online offer and can include behavior or interests of visitors in certain information, such as website content.
With the help of reach analysis, website owners can, for example, recognize at what time visitors visit their website and which content they are interested in.
This enables them to better adapt website content to visitors’ needs.
Pseudonymous cookies and web beacons are often used for reach measurement in order to recognize returning visitors and thus obtain more precise analyses about the use of an online offer.
The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means.
The term is broad and covers practically any handling of data, including collection, evaluation, storage, transmission, or deletion.
(Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke)
