Privacy Policy
I. Scope of validity
This Privacy Policy applies to all sites which are accessible under the address www.caritas-germany.org including their subpages (hereinafter "website”).
II. Legal bases
The legal bases for the protection of data can be found in the German Church Data Protection Act (KDG).
III. Name and address of the party responsible
Party responsible in the context of the German Church Data Protection Act (KDG):
Deutscher Caritasverband e. V.
represented by the President Eva M. Welskop-Deffaa
Karlstraße 40
79104 Freiburg
Phone: +49 (0)761 200-0
Email: info@caritas.de
IV. Name and address of the data protection officer
The following person was appointed as the organisation’s data protection officer in the context of the German Church Data Protection Act (KDG):
Dr. Sebastian Ertel
data protection nord Ltd
Konsul-Smidt-Str. 88
28217 Bremen (Germany)
E-Mail: datenschutz@caritas.de
Telefon: +49 (0)421 69 66 32 0
V. Contact details of the supervisory authority which has jurisdiction
The diocese data protection officer for the (Arch-)Dioceses of Freiburg, Fulda, Limburg, Mainz, Rottenburg-Stuttgart, Speyer and Trier is:
Ursula Becker-Rathmair
Catholic Data Protection Centre (Katholisches Datenschutzzentrum) Frankfurt/Main
Haus am Dom Domplatz 3
60311 Frankfurt
Phone: +49 (0)69 80087188 00
Fax: +49 (0)69 80087188 15
Email: info@kdsz-ffm.de
VI. Principles for the processing of personal data
The following principles apply to all processing procedures which are explained in this Privacy Policy:
1. Purpose and scope of processing of personal data
Personal data is only collected for the purposes specified. The scope of processing is limited to the extent required for the purposes of processing.
2. Further processing of personal data for other purposes
Further processing for a different purpose is possible if at least one of the conditions set forth in § 6 (2) of the German Church Data Protection Act (KDG) is given. This is the case, amongst others, if:
- A legal provision prescribes or peremptorily presupposes such
- It is evident that such is in the interest of the person in question, and there is no reason to assume that this person would not grant consent to the different purpose if the person were aware of that purpose
- The information provided by the person in question needs to be verified because there are actual indications of its being incorrect
- The data is generally accessible or the party responsible is permitted to publish it, and this is not obviously outweighed by any interest of the person in question which is entitled to protection
- It is required for the prosecution of criminal acts or misdemeanours, or for the enforcement of rulings involving fines
- It is required in order to avert a major infringement upon the rights of a third party
In addition, the party responsible reserves the right to process personal data if necessary and to the extent required for the protection of that party’s legitimate interest in asserting, exercising or defending legal claims.
3. Legal bases for the processing of personal data
It is possible to process personal data if at least one of the following conditions is given:
- Order or permission as a result of a legal provision of church or state (§ 6 (1) lit. a of the German Church Data Protection Act (KDG))
- Consent of the data subject (§ 6 (1) lit. b KDG)
- Requirement for contract fulfilment or the performance of pre-contractual measures (§ 6 (1) lit. c KDG)
- Fulfilment of a legal obligation (§ 6 (1) lit. d KDG)
- Safeguarding of a legitimate interest of ours or that of a third party insofar as such is not outweighed by the interests, basic rights or fundamental freedoms of the data subject (§ 6 (1) lit. g KDG)
4. Storage period of personal data
The personal data of the data subject is deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in Union regulations, laws or other regulations to which the person responsible is subject (e.g. church archive ordinance). Data is also blocked or deleted when a storage period prescribed by the aforementioned norms expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
5. Recipients of personal data
In principle, the recipients of the personal data of data subjects are only the person responsible and processors appointed by the person responsible who are required to comply with data protection law. In addition, data may be passed on to third parties if the person responsible is entitled to do so by virtue of a permission norm or is obliged to do so by law or by administrative or court orders.
6. Transfer of personal data to third states
Should the personal data of data subjects be transferred to countries outside the European Union (EU) or outside the European Economic Area (EEA), this will only take place if there is an adequacy decision of the European Commission - unless such is in conflict with important church interests - (§ 40 (1) of the German Church Data Protection Act (KDG)) or if suitable guarantees exist (§ 40 (2) KDG) or under the conditions of § 41 KDG for exceptions in specific cases.
7. Existence of an automated decision-making system
As a responsible organisation, we forego the use of an automated decision-making system or profiling.
VII. Information concerning CariNet’s CDN service
Under the domain cdn.carinet.de, the person responsible operates the content delivery network (CDN) of Caritas websites of the CMS of the Deutscher Caritasverband e. V. (CariNet CMS). The web servers which execute the CDN belong to the servers via which this website is also hosted. A content delivery network (CDN), also called a content distribution network, is a network of servers used for the fast transfer of content which is mainly static, such as large media files. A CDN makes scaling storage and transfer capacities available and ensures optimum data throughput and quick website loading times even during major peak volumes. When the website is accessed, an automatic connection is established to the CDN server, which belongs to the webservers delivering the website. A centralised URL cdn.carinet.de is used in order to make centralised and static media (e.g. the Caritas logo and Caritas designs) available from the centralised data pool and to optimise loading times for all websites of the CariNet CMS regardless of which domain is accessed.
VIII. Automatic data collection when our website is accessed
Every time our website is accessed, our system automatically collects information from the computer system of the calling computer.
1. Scope of processing
The following data is collected:
- Browser type, operating system and version
- IP address of the user
- Date and time of access
- Websites via which the user’s system accesses our website
- Pages of our website which are accessed by the user’s system
The data is stored in log file. There is no storage of this data in conjunction with any other personal data of the user. When the personal reference of the data is no longer needed for the achievement of purposes, the data is anonymised by means of truncating the IP address.
2. Legal basis for processing
The legal basis for processing is § 6 (1) lit. g of the German Church Data Protection Act (KDG).
3. Purpose of processing
The system must be able to process the IP address in order to enable delivery of the website to the user’s computer. The storage in log files is performed in order to safeguard our predominantly overriding legitimate interests in the context of § 6 (1) lit. g of the German Church Data Protection Act (KDG) in the detection and remediation of disruptions and for securing evidence in the case of a cyberattack. The data is used in anonymised form for the statistical analysis of page views.
4. Storage period
Personal data in log files is anonymised after 14 days provided that a longer storage period is not necessary for fulfilment of the aforementioned purposes.
5. Objection and remediation options
Since this data is absolutely necessary for ensuring the functionality and security of our information technology systems, no option is provided for objecting to processing.
IX. Cookies and similar technologies
Our website uses cookies. Cookies are text files which are created by the browser when a site is called up in order to store data about a browser during and after a visit to a site. Unique character strings are regularly stored in the cookie to enable a server to recognise a browser. Cookies can be stored by the site accessed (first party) or by third parties (third party) if their services are used on the site accessed. If a third-party service is used on several websites, the third party can store information about user activity in cookies and track this across multiple sites. In the cookie, the domain of the site from which the cookie originates is saved, and access is restricted to this domain. Cookies are valid either for the duration of a browser session (session cookies) or until a time specified in the cookie (persistent cookies). Expired cookies are no longer loaded by the browser when the site is accessed and are directly deleted or overwritten, depending on the browser.
You can set your browser up so that you are notified about any cookies which are placed, allow the acceptance of cookies in specific cases or exclude them in general, or activate a function to automatically delete them when you close the browser. However, under certain circumstances, not all functions of our website are fully usable if cookies are deactivated. Information on the cookie settings of your browser can be found in the help section of the browser or under the following links:
- Google Chrome: https://support.google.com/accounts/answer/61416?hl=de
- Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
- Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE
- Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
- Opera: https://help.opera.com/de/latest/web-preferences/
Moreover, data can be stored for the same purposes in the so-called local storage or local session storage of your browser.
The following data may be stored on your device when our website is accessed:
Name | Service | Domain | Type | Valid for |
ASP.NET_SessionId | Website | www.caritas-germany.org | First-Party HTTP-Cookie | Session |
ARRAffinity |
Website | www.caritas-germany.org | First-Party HTTP-Cookie | Session |
klarocookieconsent | Website | www.caritas-germany.org | First-Party HTTP-Cookie | 14 days |
X. Google services
Our website uses various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google”). For more information, please refer to "Further information” at the end of this section.
1. YouTube videos
Plugins belonging to YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter "YouTube”), a Google subsidiary, are used on this website.
a) Scope of processing
When you visit one of our pages containing embedded YouTube videos, your browser establishes connections to YouTube servers in the USA in order to load resources for the video components, preview images and fonts. This involves transmitting your IP address, the address of the site accessed and technical connection data to YouTube. YouTube is able to assign this information to your personal YouTube account if you are logged in when you access the site.
YouTube videos are embedded in our website in extended data protection mode. As a result, YouTube is instructed to not store any cookies for analysis of usage behaviour or collect any data for personalisation of the videos shown. If a user clicks or taps an embedded video and is forwarded to a different website or app, it is possible that the usage behaviour will be analysed there as per the guidelines and terms and conditions of use of that website or app. Please refer to https://support.google.com/youtube/answer/171780?hl=de for more information.
b) Legal basis for processing
The legal basis for the use of plugins is § 6 (1) lit. g of the German Church Data Protection Act (KDG).
c) Purpose of processing
We use plugins from YouTube in order to display video content on our website. YouTube makes the required storage space and the technical infrastructure available for the provision of video content. By publishing the video content via the YouTube platform, we are able to reach a wide audience. Processing carried out for these purposes constitutes an overriding legitimate interest.
d) Storage period
We do not store any personal data within the scope of using YouTube plugins. The storage of data by YouTube is as per the provider’s data privacy provisions.
e) Objection and remediation options
You can object to processing by blocking connections to domains from YouTube in general or for our website. For this it is possible to use browser extensions such as uBlock Origin (https://github.com/gorhill/uBlock/) or Ghostery (https://www.ghostery.com/).
2. Google Maps
The Google Maps service is used on this website.
a) Scope of processing
The map content is integrated via an API and provided by Google. For the transmission of this content, it is necessary to establish a connection between your device and the Google servers. If you have activated Google Maps for our website and have accessed a page of our website in which maps from Google Maps are embedded, your IP address, the address of the site accessed and technical connection data will as a rule be transmitted to a Google server where it will be processed. We have no influence on Google’s data processing.
If you use Google Maps content via our site, Google’s terms and conditions of use apply, as well as the additional terms and conditions of use for Google Maps. When visitors use Google Maps, they thus enter into a direct usage relationship with Google.
b) Legal basis for processing
We only use Google Maps if you have granted us your consent to do so. In this case, the legal basis for the described processing of connection data is § 6 (1) lit. b of the German Church Data Protection Act (KDG). We and Google are jointly responsible for the data processed via the Maps API. You will find more information on this topic below in the agreement concluded between Google and us concerning joint responsibility.
c) Purpose of processing
Google Maps is used for displaying geographical maps.
d) Storage period
We do not store any personal data within the scope of the use of Google Maps. The storage of data by Google is as per the provider’s data privacy provisions.
e) Objection and remediation options
You can view the status of Google Maps via our Consent Manager and revoke any consent granted at any time. The legality of the processing performed up to the time of revocation of consent is not affected by the revocation.
Your decision on the use of the service is stored in a cookie (see above). It is only valid for this browser and must be renewed after 14 days. Deleting the "klarocookieconsent” cookie results in revocation of consent granted.
3. Further information
- About Google’s Privacy Shield Certificate on the Privacy Shield Framework website: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
- About the terms and conditions for Google Maps: https://www.google.com/intl/de_de/help/terms_maps.html
- About the agreement on the joint responsibility for Google Maps: https://privacy.google.com/intl/de/businesses/mapscontrollerterms/
- About Google’s Privacy Policy and terms and conditions of use: https://policies.google.com/?hl=de
- About the criteria for storing resulting connection data: https://policies.google.com/technologies/retention?hl=de
XI. Contact
On our website, contact data such as addresses, phone numbers and email addresses are specified which enable fast contact and direct communication with us and with the partners who work with us. A contact form is also provided on our website.
1. Scope of processing
When you contact us, we process the personal data you give us dependent on the means of communication chosen. This may be your full name, address, phone number used, email address used and further personal information which you share with us in the course of the communication.
2. Legal basis for processing
The legal basis for processing personal data within the scope of communication is § 6 (1) lit. g of the German Church Data Protection Act (KDG). If contact is made with the aim of concluding a contract, then § 6 (1) lit. c KDG is an additional legal basis for processing.
3. Purpose of processing
We process your data only for editing the purpose of contact, for communication with you and for the purpose of tracking communication which has already taken place. Our legitimate interest in processing also lies in these purposes respectively.
4. Storage period
Data is deleted or blocked as soon as it is no longer required for fulfilment of the purpose. Furthermore, the general provisions apply for the storage period.
5. Objection and remediation options
Data subjects have the option of objecting to the processing of their personal data. They can reach us in this regard using the contact details provided.
XII. Social media plugins
Our website contains links to social media platforms. Some of these links contain parameters which, depending on the platform, transfer information to enable the use of interactive functions. At present, our website contains links to the platforms Facebook and Twitter. We are not responsible for the processing carried out on the linked to platforms and provide the following information for reasons of transparency.
If you click a button with the label "Share” or the thumbs-up symbol or the "f” which is typical of Facebook or the camera symbol which is typical of the Instagram platform, your browser establishes a connection to servers of Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter "Facebook”).
If you click a button with the label "Tweet” or the bird symbol, your browser establishes a connection to Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA (hereinafter "Twitter”).
Facebook or Twitter then receive the information that you have visited the corresponding subpage of our website, regardless of whether you are registered with the service provider or logged on. If you are logged onto the corresponding service provider at the time the site is accessed, this information is assigned to your user account and may be displayed publicly. Moreover, the provider will process your IP address, information concerning the browser and device used and data collected on the corresponding platform, and may place cookies on your device. We have no influence whatsoever on the type and scope of the processing of personal data on the service provider’s sites and merely link to that provider’s offering.
XIII. Rights of data subjects
Data subjects are entitled to the following rights vis-à-vis the person responsible:
1. Right to revocation of consent (§ 8 (6) of the German Church Data Protection Act (KDG))
You can revoke any consent once granted for the processing of data at any time, effective in the future.
2. Right to information (§ 17 of the German Church Data Protection Act (KDG))
You can demand information as to whether personal data of yours is processed. In particular, you can demand information concerning the processing purposes, the category of the personal data, the categories of recipients to whom your data has been or will be disclosed, the planned period of storage or criteria for such, the existence of a right to rectification, deletion, restriction of processing, objection or the existence of the right to lodge a complaint. In addition, you can demand information concerning the origin of data which was not collected from you. Moreover, you can demand to be informed as to whether decision-making is automated, whether data is transferred to a third country or an international organisation and on the basis of which guarantees this is carried out. You can demand a copy of the personal data pertaining to you as long as such demand does not consequently infringe upon the rights and freedoms of other persons.
3. Right to rectification (§ 18 of the German Church Data Protection Act (KDG))
You can demand the immediate rectification of personal data stored which is incorrect or, in consideration of the processing purposes, you can demand that missing information be added to your stored personal data.
4. Right to deletion (§ 19 of the German Church Data Protection Act (KDG))
You can demand the deletion of your stored personal data if the purpose for the processing ceases to exist as a result of expiration of the time period or for other reasons, you revoke your consent or have objected to the processing and there are no superseding reasons for the processing or any other legal bases, the legal basis for the data processing is lacking or has ceased to exist and the processing is not required for the exercising of the right of free speech and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercising or defending of legal claims. If we have made your data public, then we are obligated to undertake appropriate measures to inform every recipient that you have demanded that all links to and copies of the personal data in question be deleted. If the data has been unlawfully processed and deletion would involve disproportionately high levels of effort, the right to deletion shall be replaced by the right to restriction of processing as per § 20 of the German Church Data Protection Act (KDG).
5. Right to restriction of processing (§ 20 of the German Church Data Protection Act (KDG))
You have the right to restriction of processing if you dispute the correctness of the personal data in question for a period which allows the party responsible to ascertain the correctness of the personal data; the processing is unlawful and you refuse deletion of the personal data, demanding instead that the use of this personal data be restricted; we no longer require the personal data for the purposes of processing, however you require such for the assertion, exercising or defending of legal claims, or if you have submitted an objection to processing as per § 23 of the German Church Data Protection Act (KDG) and it has not yet been determined whether our legitimate grounds outweigh your grounds.
6. Right to data portability (§ 22 of the German Church Data Protection Act (KDG))
You have the right to demand that the personal data transmitted on the basis of your consent or on the basis of a contract concluded with us be sent to you in a structured, conventional and machine-readable format or that such be transmitted to a different party responsible insofar as such does not infringe upon the rights and freedoms of other persons.
7. Right to objection (§ 23 of the German Church Data Protection Act (KDG))
For reasons arising from your particular situation, you have a right to object to processing which we carry out in order to protect our legitimate interests unless we are able to ascertain grounds for processing which are worthy of upholding which outweigh your interests, rights and freedoms. You have the right to object at any time to processing which we carry out for the purposes of direct marketing or fundraising. Then it is no longer permissible to continue processing your data for these purposes.
8. Right to lodge a complaint (§ 48 (1) of the German Church Data Protection Act (KDG))
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your personal data is in violation of data protection provisions.
XIV. Amendment of these data protection provisions
We reserve the right to adapt this Privacy Policy so that it always corresponds to current legal requirements or in order to account for any changes to our services in the Privacy Policy. The new Privacy Policy will then apply to your next visit.