Privacy policy

General information
Information about this website
Information on processing operations

General information

Name and contact details of the person responsible

bidt – Bavarian Research Institute for Digital Transformation
An institute of the Bavarian Academy of Sciences

Gabelsbergerstr. 4
80333 Munich

Tel. +49 89 540 235 640
E-mail: info@bidt.digital

Contact details for the data protection officer

Our data protection officer can be reached at:


Official data protection officer of the bidt –
Bavarian Research Institute for Digital Transformation
– confidentially –
Gabelsbergerstr. 4
80333 Munich
Phone: +49 89 608 076 00
E-mail: bidt@bay-q.com

Aims of, and legal basis for, the processing of personal data

The purpose of the data processing is to fulfil the official responsibilities assigned to us by the legislature – in particular, to inform the public.

Unless otherwise stated, the legal basis for the processing of personal data is derived from Art. 4 para. 1 of the Bavarian Data Protection Act (BayDSG) in conjunction with Art. 6 para. 1 subpara. 1 (e) of the General Data Protection Regulations (GDPR), in accordance with which we are permitted to process data to the extent necessary to meet our obligations.

Recipients of personal data

Our data processing systems are operated by the Leibniz-Rechenzentrum (LRZ), Boltzmannstraße 1, 85748 Garching.

If necessary, your data will be transferred to supervisory and/or auditing authorities for checking.

In the event of electronic transmission, and in order to avert IT security risks, data may be forwarded to the State Office for IT Security and processed there on the basis of Art. 12 ff. of the Bavarian E-Government Act.

Duration of storage of personal data

Your data will be stored only for as long as is necessary for the fulfilment of our responsibilities in compliance with legal retention periods.

Your rights

Insofar as we process your personal data, you have the following rights:

  • You have the right to information about the data stored about you (Art. 15 GDPR).
  • Should your personal data be inaccurate, you have the right to have it corrected (Art. 16 GDPR).
  • If the legal requirements are met, you can request the deletion of your data or the restriction of processing (Art. 17 and 18 GDPR).
  • If you have consented to the processing or if a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data transferability (Art. 20 GDPR).
  • If you have consented to the processing and the processing is based on this consent, you can revoke your consent at any time with future effect. The legality of the data processing carried out on the basis of consent prior to revocation shall remain unaffected.

If your data is processed exclusively on the basis of Article 6 paragraph 1 letter e or f GDPR (Article 21 paragraph 1 sentence 1 GDPR), you have the right to object at any time, on grounds of your personal circumstances, to the processing of your data.

Right of appeal to the supervisory authorities

You also have the right to complain to the Bavarian State Commissioner for Data Protection at:

Postal address: Postfach 22 12 19, 80502 Munich
Street address: Wagmüllerstr. 18, 80538 Munich

Tel. +49 89 212 672 0
Fax: +49 89 212 672 50

E-mail: poststelle@datenschutz-bayern.de
Internet: https://www.datenschutz-bayern.de/

Further information

For further information on the processing of your data and on your rights, please contact us at the above addresses.

Information about this website

Technical implementation

Our web server is operated by Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany, who therefore process on our behalf the personal data you provide when visiting our website.

Logging

When you access this or other pages of our website, you transmit data to our web server via your Internet browser. During an ongoing connection for communication between your Internet browser and our web server, the following data are recorded:

  • IP address of the user
  • Directory protection user
  • Date
  • Time
  • Pages accessed
  • Protocols
  • Status code
  • Data volume
  • Speaker
  • User Agent
  • Host name

IP addresses are anonymised at domain level so that they cannot be linked to individual users. Anonymised IP addresses are kept for sixty days. Information on the directory protection user is anonymised after one day.

Error logs, which record incorrect page views, are deleted after seven days. In addition to the error messages, these logs contain the accessing IP address and, depending on the error, the website accessed.

Access via FTP is logged with anonymised information on username and IP address and kept for sixty days.

The mail logs for sending e-mails from the web environment are anonymised after one day and then retained for sixty days. During the anonymisation, all data regarding the sender/recipient etc. is removed. Only data on the time of sending and information on how the e-mail was processed (queue ID or not sent) are retained.

Mail logs for mail sent via our mail servers are deleted after four weeks. The longer retention period is necessary to ensure the functionality of mail services and prevent spam.

Active components

We use active components such as Javascript, Java Applets and Active-X-Controls. This function can be switched off by adjusting your browser settings.

Cookies

When you access this website, we store cookies (small files) on your device, which are valid for the duration of your visit (“session cookies”). We use these cookies only during your visit to our website. Most browsers are set to accept the use of cookies. This function can, however, be deactivated temporarily or permanently by adjusting your browser settings. At the end of your visit, your browser will automatically delete these cookies.

Borlabs Cookie

This website uses Borlabs Cookie, which sets a technically required cookie (Borlabs Cookie) to store your consent to cookies. The Borlabs Cookie does not process any personal data.

The cookie stores the consent that you have given when you accessed the website. If you would like to revoke these consents, simply delete the cookie from your browser. When you revisit/reload the website, you will be asked again for your consent to cookies.

Integration of YouTube videos and social plugins

When you visit our website, additional services from YouTube and social plugins (e.g. LinkedIn) are offered via a two-click process. When the website is first accessed, no data are transmitted to the operators. Only after users have agreed to the LinkedIn logo by clicking on it in the opt-in procedure will data (including the URL of the page you are on and your IP address) be transmitted to the operator, including for subsequent visits. As a user, you can therefore decide for yourself whether to use these services and whether your data are transferred. You can revoke this consent at any time and stop further data transmission to the operators by clicking on the relevant link on the homepage (opt-in procedure).

Integration of YouTube videos

Videos from the external video platform YouTube are integrated into our website. By default, only deactivated images, which do not establish an automated connection with YouTube’s servers, are embedded from YouTube. This means that the operator does not receive any data from the user when the user accesses the websites.

You can decide for yourself whether to activate YouTube videos. Only when you approve the playing of videos by clicking on “Permanent activation” do you give your consent for your data (including the Internet address of the page you are on and your IP address) to be transmitted to the operator.

In order to save the settings you request, we will create a cookie that stores parameters. However, when these cookies are set, no personal data are stored by us; they contain only anonymised data for browser adjustment. The videos are then active and you can play them. If you wish to deactivate the automatic loading of YouTube videos, you can untick the consent box under the data protection symbol. This will also update your cookie settings.

YouTube is a service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc. 1600 Amphitheater Parkway, Mountainview, California 94043, USA. For more information on the purpose and scope of data processing (including outside the EU and the US) and information on options for protecting your privacy, please refer to the data protection statement at https://policies.google.com/privacy?hl=en&gl=en. Google processes your personal data in the US (and elsewhere) and has therefore complied with the EU-US Privacy Shield.

Integration of Google Maps

We integrate Google Maps in such a way that data are not automatically sent to Google. On our events page, there is a link to Google Maps. If you click on the Google Maps logo, a new browser window will open and you will find the venue on a Google map.

Evaluation of user behaviour (web tracking systems; coverage measurement) | Use of Matomo (formerly PIWIK)

To design our website in line with requirements, we use the Matomo works analysis tool to evaluate user behaviour. Your IP address is first anonymised and then evaluated by us. You can deactivate this function by adjusting your browser settings.

You can decide whether a unique web analysis cookie can be stored in your browser to enable the operator of the website to collect and analyse various statistical data.

To opt out, click the following link to place the Matomo deactivation cookie in your browser.

Information on processing operations

Applications

If you send us application documents, we will use this personal data solely to meet your wishes and requirements and to process your application. Personal data will be shared only within the bidt, only with persons involved in the application process and only as part of the application process.

We will use and store your data only as long as is strictly necessary for the processing of your application. Our right to use data to establish an employment relationship is based on Art. 6 para. 1 para. 1 (b) GDPR. As part of the application procedure, we also process special categories of personal data. The legal basis for this is Art. 9 para. 2 (b) and (h) GDPR, Art. 88 para. 1 GDPR and Art. 8 para. 1 sentence 1 nos. 2 and 3 BayDSG. Applicant data will be deleted at the end of the procedure (i.e. six months after the acceptance or rejection of the application). We comply with the time limits for bringing an action before the employment courts, as we always have to consider the possibility of impending proceedings.

Newsletter and other mailings, orders of publications

Mailings
If you are one of our project or cooperation partners, have taken part in one of our events in the past or are employed by bidt, we will send you topic-related information, announcements and invitations by e-mail. For this purpose, we create e-mail distribution lists by processing your bidt e-mail address and details of your department if you are an employee of bidt, or the e-mail address provided if you are one of our project or cooperation partners or if you have participated in one of our events in the past.

To send these messages, we use a circular mail tool that is connected to our Identity Management (IDM). E-mail addresses of “external” persons are imported into the tool.

Our Newsletter
If you are interested in our newsletters, you can subscribe to them. We need your e-mail address for this. Otherwise we will not be able to send you the newsletter. So that we can address you personally in our newsletters, we also ask you to provide us with your first and last name. The aforementioned information is stored in the mailing list for sending our newsletter and is only processed for this purpose (sending e-mails with a personal salutation).

Double opt-in for verification of the e-mail address and proof of consent
When you subscribe to our newsletter mailing list, we will send you a link and ask you to confirm the e-mail address provided using the double opt-in procedure to ensure that you have access to the e-mail account with the e-mail address provided. Only after you have clicked on the confirmation link will the information provided be stored in our mailing list. In addition, we store the time of registration and confirmation in order to be able to prove that you have registered for our newsletter.

Analysis of opening and click behavior
We statistically analyze the sending and receipt of our newsletters in order to meet our obligation to ensure the economic efficiency of public bodies. For this purpose, we record in aggregated form, without being able to establish a specific reference to you personally, how many recipients open our newsletters and which articles are clicked on most frequently. For this purpose, our newsletters contain a small file, the so-called “tracking pixel”, which is retrieved from the sending server when the email is opened. We process technical information in the log files as well as the technical time stamp without personal reference. We use your data exclusively for internal statistical evaluations and do not pass it on to third parties

Legal basis
We process your data as part of the provision of information and invitations relating to the organization, administration and research of bidt as well as the statistical evaluation of opening and click rates as part of bidt’s public duties. The legal basis for this is Art. 4 para. 1 BayDSG in conjunction with Art. 6 para. 2, 3 and 1 letter e GDPR.

If you have voluntarily registered for inclusion in a mailing list, we base the processing of your data on your consent in accordance with Art. 6 (1) (a), Art. 4 (11) in conjunction with Art. 7 (4) GDPR. The storage of your registration and confirmation time is in our legitimate interest to be able to prove in the event of any legal disputes that you have registered on the mailing list for the sending of newsletters. With the double opt-in procedure, we also take your legitimate interest into account by ensuring that you have not been registered by unauthorized third parties.

Unsubscribing / deletion
You can, of course, unsubscribe from further newsletters and thus also from the future analysis of opening and click behavior at any time by unsubscribing from the newsletter. To do this, click on the unsubscribe button at the end of each newsletter. Data that you have provided to receive newsletters or that can be traced back to you will be deleted when you unsubscribe.

Recipient of your data
Our newsletter tool is operated by rapidmail GmbH, based at Wentzingerstraße 21 in 79106 Freiburg im Breisgau (rapidmail). rapidmail processes your data on our behalf and in accordance with our instructions in the European Union, unless we have expressly described otherwise here. This means that rapidmail does not use or may not use your data for its own purposes, in particular not for its own purposes or its own advertising measures.
Further information on how rapidmail works can be found at the following link www.rapidmail.de.

Event management

You can register for events via our website, in which case the legitimacy of our data processing is based on Art. 6 Par. 1 (b) and (e) GDPR. We will use your data solely for the purpose of the event and will not share it with any third parties. However, we may be obliged by law to disclose your data to third parties (e.g. as part of an inspection process).

We store the data you provide when registering for a maximum of two years and allow us to invite you to follow-up events, provided we have not received any objection from you. If we are obliged to store documents for tax reasons, we can only delete relevant data, including personal data, after a period of ten years.

For registration for bidt events, we have commissioned contractors to process your data solely in accordance with our instructions and not for their own purposes. We currently use the following contractor for event management: eveeno, Andreas Bothe, Ellenbogen 8, D-91056 Erlangen.

eveeno is an event management platform that enables event organisers to organise events and sell tickets.

Video conferencing by Zoom

In order to hold virtual events or video conferences per online meeting or webinar (hereinafter referred to collectively as “video conferences”), we require suitable technologies. We have evaluated various providers and found that the services offered by certified EU providers are not suitable for reliably holding video conferences. However, the US provider of Zoom does offer us the appropriate technology. Zoom is a service operated by Zoom Video Communications, Inc., a business located at 805 Broadway Street Suite 800 Vancouver, WA 98660, USA.

We use Zoom in what is referred to as the ‘EU Cluster’. This means that the entire account we use to hold video conferences is located in the EU. Not only is the data centre region for the video conferences in the EU, but all the data processing also takes place exclusively in the EU.

You do not need your own Zoom license to take part in our video conferences. You receive your access link from us by email in advance of a video conference. Simply clicking on the link is all you need to do to take part in the video conference. However, to do so, you also have to provide details of your name and email address at least. You can also use a nickname in this case if you so wish. You can only join a video conference after providing a name and email address.

If you take part in one of our video conferences, we process the name and email address you provide as part of the process. We also process information about the duration of the video conference. Moreover, the scope of the data we process also depends on the information you provide in advance (e.g. in your personal Zoom profile or when participating without registering) or when taking part in (e.g. in the chat or Q&A section) a video conference.

We use Zoom to hold video conferences. If we want to record individual video conferences, we will tell you clearly up front and – if necessary – ask for your consent. The fact that we are recording is also displayed in the actual application. In this case, we may also process questions asked by participants for the purpose of recording and following up on video conferences.

If we do we record a video conference, we process the following data: the MP4 file of all video, audio and presentation recordings, the M4A file of all audio recordings and the text file of the chat.

If you do not connect over a browser but instead by telephone, we process the information on the incoming and outgoing telephone number, the country name plus the time when your participation started and ended.

If we provide you with the option of using the chat, question or survey features in a video conference, we process the text submissions you make in order to display and, if necessary, log them into the video conference. If we hold an interactive video conference and give you the option to view the video and listen to the audio, the data from the microphone and any video camera on your device will be processed accordingly for the duration of the video conference. You can switch off the camera or microphone yourself at any time in the application.
If you are registered as a user with Zoom, reports about video conferences (metadata, telephone connection data, questions and answers in video conferences, survey function in video conferences) can be stored with Zoom for up to one month. An option for software-based “attention monitoring” (“attention tracking”) is available in Zoom, but this is permanently disabled.

Purpose and legal basis

Processing your data serves exclusively for holding the virtual event, i.e. the video conference. The legal basis for processing the data processed in the course of participating in one of the video conferences we organise is formed by Art. 6 (1) (f) GDPR.

Disclosure

Your data is not disclosed or transferred to third parties. As a matter of principle, your data is not transferred to the USA or any other third country.

By means of a data processing agreement and via the conclusion of EU standard contractual clauses owing to the third-country transfers that cannot be ruled out, Zoom is obliged to process your data within the bounds of our instructions only and not for its own purposes. This means that Zoom processes the data provided for the purpose of providing the service, i.e. for holding the video conference and if support is provided, in compliance with the applicable data security measures as a processor within the meaning of Art. 28 GDPR on our behalf and guarantees the level of protection by using the standard data protection clauses, including the data transfer impact assessment which has been conducted.

You can find more information about how Zoom works here.

Please note that when you are redirected to Zoom, you leave our sphere of responsibility until you participate in an actual video conference and that the Zoom website uses cookies and tracking technologies. We, therefore, recommend that you read the Zoom Privacy Policy and Terms of Use prior to visiting the Zoom website. We have no control over Zoom and the technologies they use after you leave our website.

Deletion/Storage

As a participant in our video conferences, your data, and in particular the name and email address you provide and the amount of time you spend in a video conference, are not stored.

Objection/removal option

You are free to stop taking part in the video conference at any time.

Photography

  • As part of our press and public relations work, photos are taken at events and on dates where you may be personally recognisable.
  • To opt out of such recording and publication, please contact us at the addresses provided above.

Participation in surveys

If you participate in surveys, we will generally not transfer your personal data to third parties. However, we may be subject to statutory duties to disclose your data to third parties – e.g. in the course of audits.

We prepare surveys where we do not send any personalised invitations for participation or process data of external participants in order to satisfy the task in the public interest that has been assigned to us (Art. 4 (1) BayDSG [Bavarian Data Protection Act], Art. 6 (1) lit. e), (2) GDPR). If we write to you specifically to draw your attention to our offer for participating in a survey, our initiation of contact with you is based on the consent you have given us for this purpose (Art. 6 (1) lit. a) GDPR). If we ask you specifically to enter personal data in surveys, we will point this out explicitly and ask you separately for your consent before you participate (Art. 6 (1) lit. a) GDPR).

We generally design our surveys so that no conclusions as to the identity of individuals can be drawn in the course of the analysis and potential publication (de facto anonymous data). This means that it is not possible without disproportionate effort to trace back the data to you personally based on the information you have provided and in consideration of the additional knowledge of the person with authorised access. The selected employees have no access to data that would permit them to attribute the data to specific persons. Please ensure that the information you provide, e.g. in free text fields, does not contain any data that could permit conclusions as to your identity or the identities of third parties. Participation in surveys per se and the provision of information in the course of the survey is voluntary in all cases.

We have placed so-called data processors under obligations in contracts for the performance of online surveys to process your data exclusively according to our instructions and specifically not for their own purposes. At this time, we use the following services for surveys:

  • LimeSurvey GmbH, survey services & consulting, Papenreye 63, 22453 Hamburg / Germany
  • Lamano GmbH & Co. KG, Frankfurter Allee 69, 10247 Berlin / Germany

Participation in live surveys during our events

During our events, we conduct live surveys. The surveys are conducted via Mentimeter. Mentimeter is a web-based survey tool of the Swedish provider Mentimeter AB, with a business address in Tulegatan 11, SE-113 86 Stockholm in Sweden. Mentimeter processes the survey data on our behalf and according to our instructions inside of the European Union (EU).

Participation in surveys is voluntary and anonymous

Participating in our surveys is voluntary. This first of all means that it is up to you whether or not you use Mentimeter without any drawbacks being created for you by your choice.

The survey is anonymous, so there is no possibility that the answers can be traced back to you – be it directly or by means of additional measures.

No registration or input of personal data required

Neither registration nor the input of personal data is required for the use of Mentimeter. However, if you do so, this is voluntary. That is because you can also use Mentimeter for the intended purpose without entering personal data.

No responsibility for the processing of your IP address

We would like to inform you that we are not responsible under data protection laws for the processing of your IP address as part of using Mentimeter. Your participation in our surveys is voluntary. By using a suitable VPN connection, you can prevent the processing of your IP address.

You can find information about data protection and data security in the use of Mentimeter at the following link: https://www.mentimeter.com/privacy. We point out that in the surveys conducted by us, Mentimeter also integrates tracking tools of providers with domiciles outside of the European Union or the European Economic Area. It can therefore not be ruled out that your IP address will be processed in a so-called third country and that your rights could be restricted for this reason, and that the protection level might not conform to the requirements in Europe, especially as concerns the enforcement of your rights against measures by the executive branch of government.

Cooperation via the digital pinboard during our events

In the course of our events, we also use among others the digital pinboard Padlet. The tool can be used via a browser and apps for tablets for smartphones. Padlet runs completely online in the process. Besides the ability to record a multitude of media (text, audio, pictures, videos, drawings, links,…) it also offers the possibility of synchronous collaboration. This means, multiple persons can work on one Padlet at the same time.

Padlet is headquartered in San Francisco, California (USA) and Singapore.

The collaboration in the course of our events via the digital pinboard is voluntary and anonymous. This first of all means that it is up to you whether or not you use Padlet without any drawbacks being created for you by your choice.

Neither registration nor the input of personal data (photos, voice messages, names, etc.) is required for the use of Padlet in the course of our events. However, if you do so, this is voluntary. That is because you can also use Padlet for the intended purpose without entering personal data.

During the use, Padlet processes data about your end device, including the IP address, browser type and operating system, which could enable third parties to identify you via the services used by Padlet. The same also applies to data flows received from the contents of a Padlet that are integrated from external sources. We would like to inform you that we are not responsible under data protection laws for the processing of your traffic data as part of using Padlet. Your participation is voluntary. By using a suitable VPN connection, a brave browser, the mobile browser of DuckDuckGo or the related Google Chrome plugin, you can prevent the processing of your traffic data (e.g. IP address).

You can find information about data protection and data security in the use of Padlet at the following link: https://padlet.com/about/privacy. We further point out that in the pinboards integrated by us, Padlet also embeds tracking tools of providers with domiciles outside of the European Union or the European Economic Area.

Padlet uses a variety of cookies and tracking mechanisms for the performance of its services. You can find information on the use of cookies and tracking mechanisms in the data privacy statement of Padlet: https://padlet.com/about/privacy. It can therefore not be ruled out that your IP address will be processed in a so-called third country and that your rights could be restricted for this reason, and that the protection level might not conform to the requirements in Europe, especially as concerns the enforcement of your rights against measures by the executive branch of government.

Participation in live streaming of conferences with a chat feature

In the course of certain events, we integrate the online streaming platform of Vimeo.com, Inc., 555 West 18th Street, New York 10011, USA (hereinafter: Vimeo) on our conference page whereby we can also offer the live chat feature to the online conference participants.

Vimeo is headquartered in the USA, so access by US authorities to the data transmitted to Vimeo cannot be ruled out. We point out that no protection level comparable to that of the GDPR applies, among others, due to the limited possibilities for rights protection against access by authorities.

The use of the chat feature of Vimeo is voluntary and therefore requires your consent to the use of the Vimeo services. This first of all means that it is up to you whether or not you use the chat feature without any drawbacks being created for you by your choice.

Neither registration nor the input of personal data (real names) is required for the use of the chat feature in the course of our events. However, if you do so, this is voluntary. That is because you can also use the chat feature for the intended purpose without entering personal data. During the use, Vimeo also processes, besides the name entered by you, data about your end devices such as the IP address, browser type, and operating system, which could make you identifiable. We would like to inform you that we are not responsible under data protection laws for the processing of your traffic data as part of using Vimeo. Your participation is voluntary. By using a suitable VPN connection or a suitable browser, you can prevent the processing of your traffic data (e.g. IP address).

You can find information about data protection and data security in the use of Vimeo at the following link: https://vimeo.com/privacy. If you use the chat feature of Vimeo, we will process the contents of your chat messages. If they are not addressed to our moderators directly, these can also be viewed by other conference participants. The chat history of the event days will be deleted at the end of each event day.

Last updated: 05-25-2023