Privacy policy for calaios.eu

Status: 26 October 2021

The protection of your personal data is important to us. With this data protection declaration, we would like to explain to you in more detail what personal data we collect from you and for what purpose the data is used.

1 Responsible person and contact

Calaios GmbH
Eupener Street 165
50933 Cologne

If you have any questions or suggestions on the subject of data protection, please feel free to contact us by e-mail at the following address: datenschutz@calaios.eu

For some processing operations, we are jointly responsible with the respective organiser who offers its services on our platform, Art. 26 GDPR. You can find out which processing activities are involved in this privacy policy or in the joint responsibility agreement, which you can find in the main excerpts under point 19 of this privacy policy.

2 Subject of data protection

The subject of data protection is personal data. According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person; this includes, for example, the name or identification numbers.

3 Automated data acquisition

When accessing our platform, your end device automatically transmits data for technical reasons. The following data is stored separately from other data that you may transmit to us:

• IP address
• URL of the page accessed
• Date and time

We store this data for the following purposes:

• Load balancing, i.e. to distribute access to our platform across several devices and to be able to offer you the fastest possible loading times;
• Ensuring the security of our IT systems, e.g. to defend against specific attacks on our systems and to recognise attack patterns;
• Ensuring the proper operation of our IT systems, e.g. if errors occur that we can only rectify by storing the IP address;
• Enabling criminal prosecution, danger prevention or legal prosecution in the case of concrete indications of criminal offences.

Your IP address is only stored for a period of 14 days.

In this case, the processing is carried out on the basis of our overriding legitimate interests mentioned above (Art. 6 para. 1 p. 1 lit. f DSGVO).

4 Cookies

We store cookies in order to be able to offer certain functions of our platform and to optimise the use of our platform. Cookies are small files that are stored on your end device with the help of your internet browser.

Specifically, we use the following cookies (unless other cookies are specified elsewhere in this privacy policy):

• Session cookies: These cookies are needed to store certain technical data during your visit to our platform, e.g. to determine whether you have logged in.
• Klaro Consent: These cookies are needed to manage Cookie Consent.

The legal basis for the use of these cookies is Section 15 (1) of the German Telemedia Act (TMG) and Article 6 (1) sentence 1 lit. b of the German Data Protection Act (DSGVO), insofar as they are necessary for the use of our platform and the functions you have accessed. Otherwise, we use cookies on the basis of your consent, Art. 6 para. 1 p. 1 lit. a DSGVO.

5 Pretix - Booking System

We use the Pretix service of rami.io GmbH, Markgräfler Straße 16, 69126 Heidelberg ("Pretix"). Pretix processes personal data on our behalf, Art. 28 DSGVO. The processing takes place exclusively within the European Union.

The payment service providers responsible for processing payments are integrated via Pretix. These are the service providers

• Stripe Inc, 510 Townsend Street, San Francisco, CA 94103, USA
  Data protection information: https://stripe.com/en-de/privacy
• Paypal PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg,
  Data protection information: https://www.paypal.com/en/webapps/mpp/ua/privacy-full

The transmission of payment information to these providers by us takes place for the processing of payments for the respective service bookings, Art. 6 para. 1 p. 1 lit. b DSGVO. The further processing of payment information by the payment service provider is the sole responsibility of the respective payment service provider. Please refer to the data protection declarations of the payment service providers if you wish to use them. The respective payment service provider is solely responsible for the processing of your payment data. We have neither access to nor influence over this.

6 Processing of personal data of participants

If you are a participant in the services offered on the Platform, we process the following personal data from you:

6.1 Registration and account management

You can create a participant account on our platform. For this purpose, you must register. To do this, we need the following information from you:

• Name, first name
• Gender / Salutation
• E-mail address
• Password

To complete the registration, you will receive an email with a confirmation link. Your registration data is required to set up and manage an account for you and to enable you to use our offers, Art. 6 para. 1 p. 1 lit. b DSGVO. In order to set up this account, you must provide us with this data. However, you are neither contractually nor legally obliged to provide the data.

In addition, you can add further voluntary information to your profile:

• Address
• Telephone number

This data is processed in order to provide you with the associated features of our platform, Art. 6 para. 1 p. 1 lit. b DSGVO.

6.2 Registration for services

When you register for organiser services via your participant account, we process the following information from you:

• E-mail address
• Name
• Address
• Payment information

This information is necessary for your registration for the corresponding service, Art. 6 para. 1 p. 1 lit. b DSGVO. In order to register, you must provide us with this data. However, you are neither contractually nor legally obliged to provide the data.

For the registration and the order and payment process, we use Pretix as a processor, Art. 28 DSGVO (see point 5 above).

We are jointly responsible for this processing with the respective organiser, Art. 26 DSGVO (see point 19).

6.3 Performance of the service

To hold the event, you will receive an authorisation code for a video conference meeting. The associated processing of your personal data, in particular your e-mail address, is done to fulfil our contract with you, Art. 6 para. 1 p. 1 lit. b DSGVO.

Your use of the video conferencing tool and the processing of your personal data via this tool is exclusively subject to the data protection provisions of the respective tool provider. The tool provider is solely responsible for the processing of your personal data in the context of the video conference. We have no influence on how this tool provider processes your personal data.

We are jointly responsible for this processing with the respective organiser, Art. 26 DSGVO (see point 19).

6.4 Payment processing

Please refer to our explanations on Pretix, point 5.

We are jointly responsible for this processing with the respective organiser, Art. 26 DSGVO (see point 19).

6.5 Recommendations of services

We may display recommendations for services that may be of interest to you in your Participant Account. To create these recommendations, we process your previous registrations as well as information from your participant account in order to be able to suggest services to you based on corresponding topics, formats or times. This processing is done in our legitimate interest and the legitimate interest of the organisers and guides to be able to suggest interesting services to you, Art. 6 para. 1 p. 1 lit. f DSGVO.

7 Processing of personal data of organisers

If you are an organiser of services offered on the platform, we process the following personal data from you:

7.1 Registration and account management

In order to use our platform and create services, you must register and be activated as an organiser. To do this, we need the following information from you:

• Name, first name
• Salutation
• Institution and address (billing address)
• E-mail address
• Telephone number
• Bank details
• Tax ID and information on VAT liability
• Password

To complete the registration, you will receive an email with a confirmation link. Your registration and account data are required to set up and manage an organiser account for you, to activate you as an organiser and to enable you to use our offers, Art. 6 para. 1 p. 1 lit. b DSGVO. In order to set up this account, you must provide us with this data. However, you are neither contractually nor legally obliged to provide the data.

In addition, you can add further voluntary information to your profile:

• Brief introduction
• References (website, social media)
• Photographs / Logos
• Advertising clips

This data is processed in order to provide you with the associated features of our platform, Art. 6 para. 1 p. 1 lit. b DSGVO.

7.2 Contact database

We may store contact details of event organisers in a contact database. The storage takes place in order to effectively manage our business contacts as well as for contract management purposes (Art. 6 para. 1 p. 1 lit. f DSGVO). We use a service of Bitrix24 Ltd, Poseidonos, 1 LEDRA BUSINESS CENTER Egkomi, 2406, Nicosia, Cyprus ("Bitrix24"). Bitrix24 processes your personal data on our behalf, Art. 28 DSGVO. In this context, the processing of data outside the EU, in particular in the USA, cannot be ruled out. In doing so, Bitrix24 observes the requirements of Chapter 5 of the DSGVO and uses the data processing methods approved by the EU Commission. Standard data protection clauses.

8 Processing of personal data of guides

If you are a guide of services offered on the Platform, we process the following personal data from you:

8.1 Registration and account management

In order to use our platform and act as a guide for services, you must register. For this we need the following information from you:

• Name, first name
• Address
• E-mail address
• Telephone number
• Password

To complete the registration, you will receive an email with a confirmation link. Your registration data is required to set up and manage a guide account for you, to activate you as a guide and to enable you to use our offers, Art. 6 para. 1 p. 1 lit. b DSGVO. In order to set up this account, you must provide us with this data. However, you are neither contractually nor legally obliged to provide the data.

In addition, you can add further voluntary information to your profile:

• Brief introduction
• References (website, social media)
• Photographs / Logos

This also allows you to determine how participants perceive your guide profile on the platform. This data is processed in order to provide you with the associated features of our platform, Art. 6 para. 1 p. 1 lit. b DSGVO.

8.2 Adding to a service as a guide

In order for you to be added as a guide to a service, we process the following information from you, which we provide to the organiser on the platform:

• Name, first name
• E-mail address

If an organiser adds you as a guide to a service, you will receive an email asking you to confirm or decline the service. The organiser will be informed of your decision by email. This information and its provision to the organisers is required so that you can be added as a guide to a service, Art. 6 para. 1 p. 1 lit. b DSGVO. However, you are neither contractually nor legally obliged to provide the data.

8.3 Performance of the service

To hold the event, you will receive an authorisation code for a video conference meeting. The associated processing of your personal data, in particular your e-mail address, is done to fulfil our contract with you, Art. 6 para. 1 p. 1 lit. b DSGVO.

Your use of the video conferencing tool and the processing of your personal data via this tool is exclusively subject to the data protection provisions of the respective tool provider. The tool provider is solely responsible for the processing of your personal data in the context of the video conference. We have no influence on how this tool provider processes your personal data.

8.4 Contact database

We may store contact details of guides in a contact database. The storage takes place in order to effectively manage our business contacts as well as for contract management purposes (Art. 6 para. 1 p. 1 lit. f DSGVO).

We use a service provided by Bitrix24 Ltd, Poseidonos, 1 LEDRA BUSINESS CENTER Egkomi, 2406, Nicosia, Cyprus ("Bitrix24"). Bitrix24 processes your personal data on our behalf, Art. 28 DSGVO. In this context, the processing of data outside the EU, in particular in the USA, cannot be ruled out. In doing so, Bitrix24 observes the requirements of Chapter 5 of the DSGVO and uses the data processing methods approved by the EU Commission. Standard data protection clauses.

9 Analysis services

We use the following analysis services on our platform:

9.1 Google Analytics

If you consent, we will use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Pkwy Mountain View, California 94043, USA ("Google"). There is no EU Commission adequacy decision for the USA. Therefore, we have agreed with Google on the EU Commission's approved Standard data protection clauses concluded pursuant to Art. 46 (2) lit. c DSGVO.

Google Analytics collects pseudonymous data from you about the use of our platform, including your shortened IP address, and uses cookies. This data is transferred to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the platform for us, compiling reports on the use of our platform and generating other analyses and evaluations relating to the use of our platform and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

Your data will be stored by Google Analytics for a period of 14 months. After this period, the data is deleted and only aggregated statistics are kept.

The use of Google Analytics is based on your consent (Art. 6 para. 1 p. 1 lit. a DSGVO). You can revoke your consent at any time and deactivate Google Analytics using a browser add-on. You can download this here: https://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you may withdraw your consent by here click. You can also withdraw your consent via our Cookie Consent Manager. This does not affect the lawfulness of the processing carried out until your revocation.

9.2 Matomo (formerly Piwik)

If you agree, we use Matomo, an open source software for statistical analysis of visitor numbers. Matomo uses cookies. The usage information collected by Matomo (including your shortened IP address) is transmitted to our server and stored for usage analysis and product optimisation purposes. Your IP address is immediately shortened during this process so that you as a user are not identifiable to us. The pseudonymous data we store about the use of this website will not be passed on to third parties.

The use of Matomo is based on your consent (Art. 6 para. 1 p. 1 lit. a DSGVO). You can revoke your consent at any time via our Cookie Consent Manager. This does not affect the lawfulness of the processing carried out until your revocation.

10 Newsletter

You have the possibility to register for our newsletter. With our newsletter, we would like to send you information about our offers and products that is as individual as possible. By registering for our newsletter, you consent to us processing your e-mail address for sending the newsletter. By registering for our newsletter, you also agree that we may analyse your reading and usage behaviour in the context of using the newsletter. The legal basis for this processing is Art. 6 para. 1 p. 1 lit. a DSGVO. You can revoke your consent at any time by unsubscribing from our newsletter. To do so, you can use the unsubscribe link contained in every email.

To verify your email address, you will first receive a registration email, which you must confirm via a link (double opt-in). When you register for the newsletter, we store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to prove your consent (Art. 6 para. 1 p. 1 lit. c in conjunction with Art. 7 para. 1 DSGVO).

We use the newsletter service of Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin ("Sendinblue") who process your data on our behalf, Art. 28 (1) DSGVO.

11 Requests

If you send us enquiries, for example via our contact form, we will store and use the contact information and details you provide in order to process the enquiry.

We store enquiries about contracts or of potential legal relevance for the general limitation period, i.e. three years from the end of the year in which we received your enquiries. We store all other enquiries for a period of 24 months. After that, your enquiries will be deleted unless we are obliged to keep them for a longer period for legal reasons.

The storage is based on our legitimate interest in the proper documentation of our business operations and the protection of our legal positions (Art. 6 para. 1 p. 1 lit. f DSGVO). In the case of enquiries about contracts, the data is stored for the purpose of initiating and implementing the respective contractual relationship (Art. 6 para. 1 p. 1 lit. b DSGVO) and, if applicable, for the purpose of fulfilling legal obligations (Art. 6 para. 1 p. 1 lit. c DSGVO).

To integrate our contact form, we use a service provided by Bitrix24 Ltd, Poseidonos, 1 LEDRA BUSINESS CENTER Egkomi, 2406, Nicosia, Cyprus ("Bitrix24"). Bitrix24 processes your personal data on our behalf, Art. 28 DSGVO. In this context, the processing of data outside the EU, in particular in the USA, cannot be ruled out. In doing so, Bitrix24 observes the requirements of Chapter 5 of the DSGVO and uses the data processing methods approved by the EU Commission. Standard data protection clauses.

12 Incorporated third-party content

We have integrated content from third-party providers on our platform. This content is loaded from the servers of the respective providers, so that your end device transmits certain technically necessary data to the third-party provider. In particular, it cannot be ruled out that these providers may take note of the IP address assigned to you. Insofar as personal data is processed, this is done on the basis of the data protection declarations of the respective third-party providers. The integration by us takes place on the basis of our legitimate interests in being able to provide our users with the corresponding content and functionalities and to be able to operate our platform economically, as well as the circumstance that your legitimate interests are not overridden, Art. 6 para. 1 p. 1 lit. f DSGVO. In detail, we integrate the following third-party content:

Fonts Carbon, Klim Type Foundry 23-B Totara Road, Miramar, Wellington, New Zealand 6022

13 Web hosters

We operate our platform on servers of our hosting service provider Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen ("Hetzner"). Our emails are also stored there. Our hoster processes personal data on our behalf, Art. 28 DSGVO. The processing takes place exclusively within the European Union.

14 Disclosure of data

With the exception of the use of the aforementioned order processors, your personal data will only be passed on without your express prior consent in the following cases:

• If it is necessary to clarify an illegal use of our platform or for legal prosecution, personal data will be forwarded to the law enforcement authorities and, if necessary, to injured third parties. However, this only happens if there are concrete indications of unlawful or abusive behaviour. A transfer may also take place if this serves to enforce terms of use or other agreements. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities.

This data is disclosed on the basis of our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims and that your rights and interests in the protection of your personal data are not overridden, Art. 6 (1) sentence 1 lit. f DSGVO or on the basis of a legal obligation pursuant to Art. 6 (1) sentence 1 lit. c DSGVO.

• We disclose personal data to auditors, accounting service providers, lawyers, banks, tax advisors and similar bodies insofar as this is necessary for the provision of our services (Art. 6 para. 1 p. 1 lit. b DSGVO) or the proper operation of our business, including the assertion of or defence against legal claims and legal prosecution (Art. 6 para. 1 p. 1 lit. f DSGVO) or we are obliged to do so (Art. 6 para. 1 p. 1 lit. c DSGVO).

15 Automated individual decisions or profiling measures

We do not use automated processing to make a decision about you or for profiling.

16 Deletion of your data

Unless otherwise stated, we will delete or anonymise your personal data as soon as it is no longer required for the purposes for which we collected or used it in accordance with the above paragraphs. As a rule, we store your personal data for the duration of the usage or contractual relationship plus the applicable limitation period, as well as for a period of 4 weeks during which we store backup copies after the end of the usage or contractual relationship. We also retain your data if we are obliged to do so for legal reasons or if the data is required for a longer period for criminal prosecution or for securing, asserting or enforcing legal claims.

If data must be retained for legal reasons, processing is restricted. The data is then no longer available for further use.

Storage beyond the contractual relationship is based on our aforementioned legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f DSGVO, or on the basis of our statutory storage obligations in accordance with Art. 6 (1) sentence 1 lit. c DSGVO.

17 Your rights as a data subject

As a person affected by the processing of personal data, you have a right to information about the data processed, a right to rectification of your personal data, a right to erasure of your personal data, a right to restriction of the processing of your personal data and a right to data portability in accordance with the legal requirements.

In addition, you have the right to object to the processing of your personal data at any time for reasons relating to your particular situation if the data processing is based on Art. 6 (1) p. 1 lit. e or lit. f DSGVO (including profiling) or if data is processed for direct marketing purposes.

In the event of consent, you have the right to revoke your consent at any time, Art. 7 (3) p. 1 DSGVO. This does not affect the lawfulness of the processing carried out until your revocation.

You also have the right to lodge complaints with a supervisory authority.

Finally, we would like to point out that we process the personal data provided by you when exercising your rights pursuant to Articles 15 to 22 of the GDPR for the purpose of implementing these rights and to be able to provide evidence thereof. This processing is based on the legal basis of Art. 6 (1) sentence 1 lit. c DSGVO.

18 Changes to this privacy policy

The current version of this privacy policy is always available at calaios.eu/privacy/ available.

19 Joint responsibility with organisers

Below you will find the main contents of the joint responsibility agreement with organisers whose services you can find on our platform:

1. Processing and responsibility

1.1 The object of the data processing is the joint processing of personal data between the Provider and the Organiser when the Organiser uses the Calaios platform in accordance with the main contract.

1.2 The data processing shall be carried out in accordance with the data Appendix 1 to this Agreement in joint responsibility or in commissioned processing by the Provider for the Organiser.

1.3 Any relocation of processing operations to a third country within the meaning of the GDPR must be agreed between the parties and may only take place if the specific requirements of Art. 44 et seq. GDPR are fulfilled.

[...]

2. Permissibility of data processing and consent management

2.1 Processing of personal data under this Agreement may only be carried out if and to the extent that such data processing can be based on an adequate legal basis, including in Appendix 1 is named.

2.2 If, in addition to this agreement, the joint data processing is to be based on the consent of the data subjects as the legal basis for the data processing, the parties shall jointly determine the requirements to be met for this purpose.

3. Information of the persons concerned

3.1 The parties undertake to provide the data subject free of charge with the information required under Articles 13, 14 GDPR in a precise, transparent, comprehensible and easily accessible form in clear and simple language. Unless otherwise provided in Appendix 1 agreed, the provision of the information is the responsibility of the provider.

3.2 The parties undertake to provide the essential content of the agreement pursuant to Art. 26 (2) DSGVO on the joint data protection responsibility of the data subjects. In order to fulfil this obligation to provide information, the parties will communicate the essential content of the agreement with the information pursuant to Art. 13, 14 DSGVO. The content will be updated by the parties as necessary.

4. Fulfilment of the other rights of the data subjects

4.1 Data subjects may assert the rights to which they are entitled under Articles 15 to 22 of the GDPR ("data subject rights") against both contracting parties. The Parties shall process requests independently and, to the extent necessary, inform the other Party thereof if they are able to do so. In all other respects, the parties shall support each other to the extent necessary in the fulfilment of the data subject rights. Communication with the data subjects shall be made by the party to whom the data subject request was addressed.

4.2 If personal data is to be deleted, the parties shall inform each other in advance. The other party may object to the deletion for a justified reason, for example if it has a legal obligation to retain the data.

5. Common contact point for those affected

The contracting parties shall establish a joint contact point within the meaning of Art. 26 (1) sentence 3 GDPR for data subject enquiries regarding processing activities related to the main contract. The provider shall act as the contact point.

[...]

7. Procedure in the event of a data protection breach

7.1 The Provider shall be responsible for examining and processing all breaches of personal data protection within the meaning of Article 4 No. 12 of the GDPR, including the fulfilment of any notification obligations that may therefore exist vis-à-vis the competent supervisory authority pursuant to Article 33 of the GDPR or vis-à-vis data subjects pursuant to Article 34 of the GDPR, insofar as the breach relates to a processing operation for which the Provider is solely or jointly responsible with the Organiser.

7.2 The Parties shall notify the other Party without undue delay of any data protection breach discovered and shall cooperate to the extent necessary and reasonable in any notification pursuant to Articles 33 and 34 of the GDPR and in any clarification and elimination of the data protection breach.

8. Cooperation with the supervisory authorities

8.1 The parties shall notify the other party without delay if a data protection supervisory authority approaches them in connection with this Agreement, the cooperation or the data processing.

8.2 To the extent possible, the Parties shall consult with each other before responding to any requests from competent data protection supervisory authorities or before disclosing information in connection with this Agreement, the Cooperation or the Data Processing to competent data protection supervisory authorities. In addition, the Parties shall cooperate fully and assist each other free of charge in the event of enquiries or inspections by data protection authorities.

9. Establishment of a head office to determine the lead supervisor

The Contracting Parties establish the Provider's business address in Cologne as the nominal principal place of business under this Agreement.

[...]

Overview of the processing procedures:

Processing	Description	Art. 26	Art. 28	Legal basis
Booking of services of the organiser by participants	The Provider receives the participant's registration data from the participant account as well as via its subcontracted processor Pretix and transmits the participant data required for the processing of the participant contract and the payment processing to the Organiser. The parties shall mutually transmit to each other any changes made to the participant's data after the booking has been made, insofar as this is necessary for the processing of the contracts concluded between the organiser and the participant via the platform. The provider uses the participant's contact data to send the participant the order confirmation and the authorisation code for the virtual service room.	x		Art. 6 para. 1 p. 1 lit. b) DSGVO (contract between the participant and the provider as well as the participant and the organiser)
Organiser's employee data in the organiser account	The Provider shall receive and manage the login data and other account information from employees of the Organiser in the Organiser account on the Platform. Categories of persons concerned: Employees of the organiser Nature of the personal data: Registration data (surname, first name, e-mail address, telephone number)		x	Art. 28 GDPR
Publication of services	The provider may publish services on the platform. The information entered may contain personal data in exceptional cases. Categories of persons concerned: Persons hired by the organiser (e.g. guides, artists or musicians in the service title) Type of personal data: Information provided by the organiser (e.g. guide names, artist or musician names in the service title)		x	Art. 28 GDPR
Participant support	As a matter of principle, the provider only provides support for enquiries from participants that concern the platform. Enquiries concerning a service or the relationship between the organiser and the participant will be processed by the organiser. Should a participant contact the provider with such an enquiry, the provider will forward this enquiry together with the personal data contained therein to the organiser. Categories of persons concerned: Participant Type of personal data: Enquiry content and contact information, if applicable		x	Art. 28 GDPR