Data Protection

Thank you for your interest in our website. The protection of your personal data is important to us. Personal data is any information relating to an identified or identifiable natural person (e.g. name, IP address, e-mail address). Personal data is processed to provide our website and within the framework of legal requirements and to protect our legitimate interests, insofar as this is necessary. It is carried out exclusively in accordance with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).

This privacy policy informs you about the type, scope and purpose of the processing of personal data when using this website.

1 General information on data processing on this website

1.1 Controller responsible

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is

Zentrum für Data-driven Empowerment, Leadership and Advocacy (zedela) gUG (haftungsbeschränkt)

Address: Großgörschenstraße 27, 10829 Berlin, Germany

E-mail: info@zedela.org

Homepage: https://www.zedela.org/

1.2 Data protection officer

The data protection officer is

Alexander Hönsch from WS Datenschutz GmbH

If you have any questions about data protection, you can contact WS Datenschutz GmbH at the following e-mail address: zedela@ws-datenschutz.de.

Address: Dircksenstraße 51, 10178 Berlin, Germany

Homepage: https://webersohnundscholtz.de

1.3 Protection of your data

We have taken technical and organizational measures to ensure that the provisions of the GDPR are observed both by us and by external service providers who work for us.

If we work with other companies, such as email and server providers, to provide our services, this is only done after an extensive selection process. In this selection process, each individual service provider is carefully selected for its suitability in connection with technical and organizational skills in data protection. This selection process is documented in writing and a contract in accordance with Art. 28 para. 3 GDPR on the processing of personal data on behalf (DP contract) is only concluded if it meets the requirements of Art. 28 GDPR.

Your data is stored on specially protected servers. The servers are protected by firewalls and access controls. Only a few authorized persons have access to personal data.

Our website is SSL/TLS encrypted, which you can recognize by the “https://” at the beginning of the URL. If personal data is involved in e-mail communication, e-mails are sent encrypted from our end. We also use the integrated SSL certificate for this purpose.

zedela gUG undertakes to take appropriate and legally compliant contractual agreements and control measures to ensure data protection and data security, including for outsourced ancillary services.

1.4 Deletion of personal data

We only process personal data for as long as is necessary. As soon as the purpose of the data processing has been fulfilled, the data will be blocked and erased in accordance with the standards of the erasure concept here, unless statutory provisions prevent erasure.

2 Collection and storage of personal data when visiting the website

2.1 Server log files and access data

When you visit our website, our web servers temporarily store every access in a log file. Your IP address is recorded and stored until it is automatically deleted. The data processing takes place for the purpose of enabling the use of the website and serves the system security, the technical administration of the network infrastructure and the subsequent anonymization of the IP address by our service providers. The IP address is also evaluated against attacks and unlawful access by third parties to our IT infrastructure.

‍2.2 Hosting service provider

The data is stored on servers of netcup GmbH, Daimlerstr. 25, 76185 Karlsruhe, Germany. We have concluded an order processing contract with netcup in accordance with Art. 28 GDPR. Further information on data processing by netcup can be found in netcup’s privacy policy: https://www.netcup.com/de/kontakt/datenschutzerklaerung

3 Plausible Analytics

3.1 Description and scope of data processing

We use Plausible Analytics to compile anonymous statistics about the use of our website. Plausible does not collect any personal data such as IP addresses or cookies and does not use tracking technologies to identify individual users.

The data processing is carried out by: Plausible Insights OÜ, Väike-Paala 2-63, 11415 Tallinn, Estonia.

Plausible collects aggregated usage data, including the number of visitors, the origin of the traffic, the pages viewed and interaction times. All data collected is completely anonymized and does not allow any conclusions to be drawn about individual users.

Further information on the handling of personal data can be found in Plausible’s privacy policy at: https://plausible.io/data-policy

3.2 Legal basis for data processing

The legal basis for the use of Plausible Analytics is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR, as the analysis is anonymous and contributes to the improvement of our offer.

3.3 Purpose of the data processing

The use of Plausible Analytics serves to analyze the use of our website in order to better tailor our offer to the needs of users. We attach great importance to data protection and deliberately refrain from using personal data or invasive tracking technologies.

3.4 Duration of data storage

The anonymous usage data collected is stored permanently, as it does not allow any conclusions to be drawn about individual persons and is used exclusively for statistical purposes.

3.5 Possibility of removal by the data subject

Since Plausible Analytics does not store any personal data or use cookies, no individual deactivation is required. If you still have concerns, you can use tracking blockers or appropriate browser settings to prevent access to Plausible Analytics scripts.

4 Newsletter

4.1 Description and scope of data processing

We offer the option of subscribing to our newsletter on our website. When you subscribe to the newsletter, you will be asked to provide personal data for processing. This is the data that is requested in the newsletter input mask. Input fields marked with an ”*” are mandatory fields:

• First name
• Surname
• e-mail address

These mandatory fields are required in order to send you the newsletter.

The newsletter is sent by e-mail. You will only receive the newsletter after registering for it. In order to meet the requirements of the GDPR, we use the so-called DOI procedure (“double opt-in”). If you register for our newsletter, you will receive a confirmation e-mail to the electronic mailbox specified in the input field. This e-mail contains a confirmation link that you must click on. After this procedure, you have successfully registered for the newsletter. The IP address, date and time of registration are stored in order to carry out the procedure. This is to prevent misuse. The data will not be passed on to third parties. This data is only stored as proof of proper registration and, if necessary, to defend against claims and is deleted after 3 years (limitation period according to § 195 BGB).

4.2 Legal basis for data processing

The legal basis for data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. Existing customers can also receive our newsletter without their express consent. This is only done within the narrow limits of Section 7 (3) UWG (Act against Unfair Competition) and in accordance with Art. 95 GDPR. This corresponds to the legal basis of Art. 6 para. 1 s.1 lit. f) GDPR. Our legitimate interest is to inform our existing customers about our projects by email and thus stay in contact with them.

4.3 Purpose of the data processing

The purpose of the newsletter is to inform you about news from us at regular intervals.

4.4 Duration of data storage

We will only process your data for as long as is necessary to fulfill the purpose and for as long as there are no legal or official retention obligations to prevent deletion.

4.5 Possibility of erasure by the data subject

Consent to the processing of personal data as part of the newsletter subscription can be withdrawn at any time. To do so, you can click on the unsubscribe link integrated in every newsletter or inform us of your withdrawal of consent in another way.

4.6 Shipping service provider Brevo

4.6.1 Description and scope of data processing

The newsletter is sent via “Brevo”, an online marketing platform. The data processing is carried out by: Sendinblue GmbH (“Brevo”), Köpenicker Straße 126, 10179 Berlin, Germany.

The email addresses of our newsletter recipients, as well as their other data described in this notice, are stored on Brevo’s servers in the EU. Brevo is a certified provider that has been selected in accordance with the requirements of the General Data Protection Regulation and the Federal Data Protection Act. Brevo processes the personal data on our behalf and in accordance with our instructions on the basis of an order processing contract concluded with the company in accordance with Art. 28 para. 3 GDPR.

Further information on data protection at Brevo can be found here Privacy Policy - Protection of Personal Data | Brevo

4.6.2 Legal basis for data processing

Data processing by Brevo is based on a legitimate interest on our part in an effective and secure transmission of the newsletter to you, in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.

4.6.3 Purpose of the data processing

We use Brevo as our mailing service provider to ensure effective address management and to stay in contact with you via the newsletter.

4.6.4 Duration of data storage

Brevo deletes personal data as soon as the purpose of the data processing has been achieved and no legal, contractual or official regulations prevent deletion. This is the case no later than 100 days after termination of the contract between us and Brevo

4.6.5 Possibility of deletion by the data subject

You have the option to withdraw your consent at any time. To do so, please contact our data protection officer. You can also use the “opt-out” link at the end of each email at any time, which will result in us deleting your email address from our address file, which is why Brevo will then no longer process your personal data. However, this has no effect on address files that Brevo manages on behalf of other clients.

5 Your rights

You have the following rights vis-à-vis us with regard to your personal data:

5.1 Right to withdraw consent (cf. Art. 7 GDPR)

If you have given your consent to the processing of your data, you can withdraw this at any time. Such a revocation affects the permissibility of processing your personal data for the future after you have given it to us. It can be made verbally (by telephone) or in writing by post or e-mail to us.

5.2 Right to information (see Art. 15 GDPR)

In the event of a request for information, you must provide sufficient information about your identity and provide proof that the information is yours. The information concerns the following information

• the purposes for which the personal data is processed
• the categories of personal data being processed
• the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
• the envisaged period for which the personal data concerning you will be stored, or, if specific information on this is not possible, the criteria used to determine that period
• the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing
• the existence of a right to lodge a complaint with a supervisory authority
• all available information about the origin of the data if the personal data is not collected from the data subject
• the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

5.3 Right to rectification or erasure (see Art. 16, 17 GDPR)

You have a right to rectification and/or completion vis-à-vis us as the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification without undue delay.

You can also request the erasure of personal data concerning you if one of the following reasons applies to you:

• The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
• You withdraw your consent on which the processing was based pursuant to Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR and there is no other legal basis for the processing.
• You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
• The personal data concerning you has been processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

If we have made the personal data concerning you public and we are obliged to delete it in accordance with Art. 17 para. 1 GDPR, we will take all reasonable measures to inform other data controllers that you have requested the deletion of all links to this personal data or of copies or replications of this personal data.

The right to erasure does not exist insofar as the processing is necessary

• For exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the aforementioned right is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the establishment, exercise or defense of legal claims.

5.4 Right to restriction of processing (see Art. 18 GDPR)

Under the following conditions, you may request that we restrict the processing of your personal data

• if you contest the accuracy of the personal data concerning you for a period enabling us to verify the accuracy of your personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
• we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
• if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it is not yet certain whether our legitimate reasons outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

5.5 Right to information (see Art. 19 GDPR)

If you have asserted your right to rectification, erasure or restriction of data processing against us, we are obliged to inform all recipients of your personal data of the rectification, erasure or restriction of data processing. This only applies insofar as this notification does not prove to be impossible or would involve a disproportionate effort.

You have the right to know which recipients have received your data.

5.6 Right to data portability (see Art. 20 GDPR)

You have the right to receive your personal data from us in a commonly used, machine-readable format so that it can be forwarded to another controller if necessary, provided that

• the processing is based on consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 sentence 1 lit. b) GDPR and
• the processing is carried out by automated means.

When exercising your right to data portability, you have the right to obtain that the personal data be transferred directly by us to another controller, insofar as this is technically feasible.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

5.7 Right to object to processing (see Art. 21 GDPR)

Insofar as we base the processing of your personal data on a legitimate interest (pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR) on our part, you can object to the processing. The same applies if we base the data processing on Art. 6 para. 1 sentence 1 lit. e) GDPR.

When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or point out to you our compelling reasons worthy of protection on the basis of which we will continue the processing.

5.8 Right to lodge a complaint with the competent supervisory authority (see Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

6 How to exercise these rights

To exercise these rights, please contact our data protection officer

Alexander Hönsch of WS Datenschutz GmbH

zedela@ws-datenschutz.de

or by post:

WS Datenschutz GmbH

Dircksenstraße 51

D-10178 Berlin

7 Subject to change

We reserve the right to amend this privacy policy in compliance with the statutory provisions.

Status July 2025