###Data Protection Statement Thank you for your interest in our online services. We are committed to protecting your privacy. In this Data Protection Statement you will find information on how we process your personal data. This Data Protection Statement applies to all websites accessible at https://community.engagement-global.de, including its subpages (hereinafter generally referred to as the ‘Website’). The General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) form the legal bases for data protection. ####Name and address of the Controller The provider of the Website in the legal sense is Engagement Global gGmbH - Service für Entwicklungsinitiativen (Service for Development Initiatives) legally represented by the Managing Directors Dr Jens Kreuter and Ingrid Arenz Friedrich-Ebert-Allee 40 53113 Bonn (hereinafter referred to as ‘Engagement Global’, ‘we’, ‘us’) ####Name and address of the Data Protection Officer The Data Protection Officer is Rechtsanwalt Ziar Kabir (lawyer) SCO:CON-SULT GmbH Hauptstraße 27 53604 Bad Honnef ####Definitions This Data Protection Statement is based on the terminology used by the European legislator in the General Data Protection Regulation (GDPR). For your information, the terms are explained below: **a. Personal data** Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. **b. Data subject** Data subject means an identified or identifiable natural person whose personal data are being processed by the Controller. **c. Processing** Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. **d. Restriction of processing** Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. **e. Pseudonymisation** Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. **f. Controller (person responsible for data processing)** The Controller (person responsible for data processing) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. **g. Processor** Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. **h. Recipient** Recipient means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. **i. Third party** Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. **j. Consent** Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them. ####General information on data processing **a. Purpose and scope of the processing of personal data** The personal data of users of our website are generally processed only if this is necessary to safeguard and provide a functional website, facilitate the presented services, optimise our range of services and to fulfil the intended purpose. **b. Legal bases for processing personal data** We process the personal data of data subjects based on these statutory authorisations: - consent (point (a) of Article 6(1) GDPR), - fulfilling a contract or steps prior to entering into a contract (point (b) of Article 6(1) GDPR), - compliance with a legal obligation (point (c) of Article 6(1) GDPR), - for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (point (f) of Article 6(1) GDPR). **c. Data erasure and duration of storage of personal data** The personal data of the data subject will be erased or blocked routinely or as soon as the purpose for storing the data becomes obsolete. Data may also be stored if the storage is provided for by the European or national legislator in EU regulations, legislation or other provisions governing the Controller. Data will also be blocked or erased when a storage period required by any of the aforementioned laws or regulations expires unless there is a need for continued storage of the data for the purpose of concluding or fulfilling a contract. **d. Recipients of personal data** Recipients of the personal data of data subjects are generally only the controllers and processers employed by them subject to compliance with data protection laws. In addition, data may be transferred to third parties if the Controller is so authorised or legally obliged by virtue of a statutory authorisation. **e. Transfer of personal data to third countries** The personal data of data subjects shall only be transmitted to countries outside the European Union (EU) and/or outside the European Economic Area (EEA) provided there is an adequate level of protection (Article 45 GDPR) or subject to appropriate safeguards (Article 46 GDPR) or subject to the conditions of Article 49 GDPR in the case of derogations for specific situations. **f. Automated decision-making** As a responsible enterprise, we refrain from employing an automated decision-making process or profiling. ####Hosting As part of commissioned data processing, we employ external service providers to host the website. These service providers are obliged to comply with legal data protection provisions to the same extent as we are and to ensure that the data associated with the online services is handled reliably and securely. The personal data of the data subjects collected via the website are stored on the servers of HumHub GmbH & Co. KG in Nuremburg and Munich. The data are stored separately from other applications. The processor processes personal data only in accordance with the instructions of the Controllers and only to the extent necessary to fulfil their obligations. ####Connectivity data Each time a user connects to our website, our system automatically records information about the computer system of the retrieving computer. In this connection, the following data are collected: - the browser type and the version used, - the user’s operating system, - the user’s internet service provider, - the user’s IP address, - the date and time of access, - websites from which the user’s system has accessed our website, - websites the user’s system accesses via our website. The connectivity data are processed based on our legitimate interest in the transmission of the content of the website and in accordance with point (f) of Article 6(1) GDPR. The temporary processing of the IP address by our system is necessary for our system to provide our website to the user’s computer. The data may be stored by us for analysis and maintenance purposes. However, in this case, the IP address of the retrieving system will be anonymised. As these data are indispensable for the operation of the website, users do not have the option to object to this processing. ####Cookies and similar technologies Our website uses cookies. Cookies are text files that are created when your browser accesses a website which are used to store data about a browser during and after the visit to the website concerned. To this end, unique character sequences that allow a server to recognise a browser on the user’s return are regularly stored in a cookie. Cookies can be stored by the webpage visited (first party) or by third-party providers (third party), if their services are being deployed on the webpage visited. If a service of a third-party provider is used on several websites, the third-party provider may store information about user activities in cookies and track them over several webpages. The cookie stores the domain of the webpage from which the cookie originates, and access is limited to this domain. Cookies are valid either for the period of a browser session (session cookies) or for a period of time specified in the cookie (persistent cookies). Expired cookies will no longer be loaded by the browser upon your return to the website, and they will be deleted or overwritten depending on the browser. You can configure your browser so as to disable the storing of cookies. However, in this case, you may not be able to fully use all the functions of our website. Information on the cookie settings of your browser are available in the Help section of your browser or at the following links: - Google Chrome: https://support.google.com/accounts/answer/61416?hl=en (English website) - Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox (English website) - Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac (UK site) - Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (UK website) - Opera: http://www.opera.com/help In addition, data can be stored for the same purposes in the local storage or the local session storage of your browser. The following data may be stored on your device after a visit to our website: | Name | Service | Domain | Typ | Validity| |-----------------------------|------------------|----------------------|-------------------------|------------| | PHPSESSID | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | _csrf | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | _identity | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | _pm_getting-started-panel | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | pm_panel-activities | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | pm_panel-codebox | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | | pm_user-spaces-panel | Website | community.engagement-global.de | First-Party HTTP-Cookie | Session | When visiting our website, our system automatically stores a session cookie with an anonymous ID in your browser (‘session ID cookie’). This ID allows our system to track the websites visited during a browser session. This is necessary for us to provide our service and to keep the log-in of registered users active based on the stateless http protocol. The session ID cookie does not store personal data. ####Use of the Community Platform On our website, we provide a community platform (hereinafter: the ‘Community Platform’) for networking and cooperation as part of our programmes and services. **a. Registration** A user account must be created in order to use the platform. To this end, we first process the email address specified in your registration form to generate a confirmation email. The legal basis for doing so is point (f) of Article 6(1) GDPR. Our legitimate interest is the provision of a registration facility for the Community Platform. The confirmation email contains a link, which is used to transmit the information that the recipient wishes to confirm the registration. When you click on the link, the webpage for creating the account opens and the following data are collected: - user name (nickname) - first name - surname - IP address - date and time of registration At this point, a password must be created. In the form for creating the account, reference is made to this Data Protection Statement and the Terms of Use. To complete the registration, users must consent to this Data Protection Statement and the linked Terms of Use by ticking the corresponding box and then clicking on ‘Create account’. Both the processing of the personal data from the form and the subsequently listed processing of personal data during your use of the platform are based in this case on your consent in accordance with point (a) of Article 6(1) GDPR. The data from the form are transmitted to our system via an encrypted connection. **b. User profile** A profile page is created for each registered user with the data from the form for the creation of the account, which can be viewed by other registered users. In addition, users can voluntarily add other particulars to their user profile, which they can also make visible to other registered users by default. The accessibility of information in your profile page can be adjusted in the user settings. **c. Activities on the platform** In principle, all activities on the Community Platform are visible to other registered users. We wish to point out that we reserve the right in accordance with the Terms of Use to carry out random checks of all contents on the platform, including stored direct messages, or in the case of a legitimate suspicion that the Terms of Use have been violated. **d. Space information** The platform offers users the opportunity to create spaces (groups) and to join spaces. Space owners (creators) and space administrators may select the criteria for joining the space (registered users may join / invitation required) and/or the users who can access the space (all registered users, space members only). By default, spaces are publicly accessible and registered users can join. In the case of public spaces, the space owner and the space members as well as the space activities are publicly visible. **e. Space content** Space members can create content such as posts, comments, files, time schedules and wiki pages. Depending on the selected accessibility settings, the contents and comments are either publicly visible to registered users or to space members only. **f. Email notifications** Various settings for email notifications about activities on the platform can be selected in the user settings. If you do not wish to receive email notifications, you can disable this function there. **g. Direct messaging** The Community Platform can be used to exchange direct messages between individual users. If you do not want to receive direct messages from other users, you can disable this function in the user settings. **h. Sending invitations via the Platform** Users are able to send invitations to register with the Platform. We will use the personal data we collect when you do so, such as the email address of the recipient, only for the purpose of sending an email with the content specified by the user. By using this function, users warrant to the Controller that they are authorised to process the email address of the recipient for the purpose of sending the message. By sending the invitation, the user name (nickname) and the email address of the inviting user are communicated to the recipient of the invitation. **i. Deleting a user account** Users can delete their user account. The user account is first deactivated and later deleted after expiry of a cool-off period for security reasons. **j. Withdrawal of your consent** If you withdraw your consent, you will no longer be able to use the Community and your profile will be deleted. You may withdraw your declaration of consent at any time without stating reasons by sending an email to online@engagement-global.de. ####Email contact In accordance with statutory requirements, our website contains information that enable fast electronic contact with our company and direct communication with us. You can also contact us by email. When contacting us via the specified email addresses, the personal data of the sender which is transmitted with the email will be stored. This includes the text of the message and the email address. No data will be transmitted to third parties in this connection. The legal basis for the processing of data transmitted in connection with sending an email is point (f) of Article 6(1) GDPR. If the email contact is established with the aim of concluding a contract, the legal basis for the processing is additionally point (b) of Article 6(1) GDPR. We only process personal data from the transmitted emails to allow us to manage the contact request. This is also our legitimate interest in the processing of the data. The data are erased routinely as soon as they are no longer necessary to achieve the purpose of the data collection unless there is a statutory obligation to the contrary. Data subjects have the right to object to the processing of their personal data. You can contact us in this regard using the contact details provided. ####Rights of data subjects Data subjects have the following rights vis-à-vis the Controller: - You have the right to obtain information as to which personal data concerning you are being processed, as well as the source of those data and the purpose of such processing. Likewise, you must be informed if your data are transferred to third parties. In this case, you must be informed about the identity of the recipient or the category of recipients. - If your personal data are incorrect or incomplete, you have the right to obtain the rectification or completion of your data. - You may object to the processing of your personal data for advertising purposes. In this case, your data must then be blocked for these purposes. - You have the right to obtain a restriction of the processing if you contest the accuracy of the personal data relating to you for a period enabling the Controller to verify the accuracy of the personal data; if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; if the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or if you have objected to processing pursuant to Article 21(1) GDPR pending the verification of whether the legitimate grounds of the Controller override your legitimate grounds. - You have the right to obtain the erasure of your data. This is possible if a legal basis for the data processing is lacking or has lapsed. The same applies when the purpose of the data processing has expired or lapsed for any other reason. Please note that erasure may be prevented by a conflicting duty of retention or other legitimate interests of our Company. At your request, we will gladly provide you with the relevant information. If we have published your data, we are obliged to inform every recipient about your request to have all links to these personal data or copies of these personal data erased. In this regard, please send an email to: info@engagement-global.de. - You also have the right to object if, on grounds relating to your personal situation, your legitimate interest overrides our interest in the processing. This does not apply, however, if we are obliged to carry out the processing by virtue of a statutory provision. - Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes data protection laws and provisions. - You have the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format. ####Amendments to these data protection provisions We reserve the right to amend this Data Protection Statement so that it always complies with current legal requirements or in order to implement changes to our services in the Data Protection Statement. The next time you visit, the new data protection statement will then apply.