Status: September 2022

Data Protection Declaration

1. Controller

The controller within the meaning of the data protection and privacy laws, particularly the EU General Data Protection Regulation (GDPR), is:
Nuremberg Institute for Market Decisions (Nürnberg Institut für Marktentscheidungen e.V.)
Founder of GfK
Steinstr. 21
90419 Nuremberg
Tel. +49 911 9 51 51 983
Fax +49 911 37677 872
E-mail: hello@nim.org

Our data protection officer can be contacted as follows:

Nuremberg Institute for Market Decisions (Nürnberg Institut für Marktentscheidungen e.V.)
Personal/Confidential, Attn.: Data Protection Officer
Steinstr. 21
90419 Nuremberg
Or by e-mail: privacy@nim.org

 

2. Purposes for which we process your personal data

”Personal data” means any information relating to an identified or identifiable natural person. When personal data are processed, this means that it is possible for them to be collected, stored, used, transferred to others, or erased, among other things. Nowadays, certain items of information are automatically collected and stored when you visit any website, including this one. When you visit our website, just as you are doing now, our Web server automatically stores data such as

  • the address (URL) of the website accessed,
  • browser and browser version,
  • the operating system used,
  • the address (URL) of the page previously visited (referrer URL),
  • the host name and IP address of the device from which the page is being accessed,
  • date and time, and
  • Web server log files.

Web server log files are typically stored for two weeks and automatically erased after that. The legal basis for the processing of these data is point (b) of Article 6(1) GDPR.

Beyond that, we also process your personal data as follows:

Contact/newsletter

Our website includes contact forms that can be used to contact us electronically, apply for membership, and sign up to receive our newsletter. If you use these forms to contact us, the data entered in the entry window are transferred to us and stored. The required fields are:

  • First and last name (including title) (optional)
  • E-mail address
  • In the case of the contact form, also message with text

In addition, your IP address and the date and time of your inquiry are stored.

If you sign up to receive our newsletter, you transfer the personal data mentioned above and give us the right to contact you by e-mail. Should you unsubscribe from our newsletter – you will find the link to do this at the very bottom of each newsletter – we will delete then all data that were stored when you subscribed to receive it.

The legal basis for the processing of these data are points (b) and (f) of Article 6(1) GDPR for the use of the contact form and point (a) of Article 6(1) GDPR for subscribing to the newsletter.

Communication via e-mail

It is possible to communicate using an e-mail address provided to us. In this case, the personal data concerning you that are transferred with the e-mail are stored:

  • E-mail address
  • Message content
  • Signature, with first and last name
  • Address if included
  • Phone number if included
  • Company name if included
  • Date and time when the e-mail is sent

Please note: communication via e-mail may involve security vulnerabilities. For example, e-mails can be intercepted and viewed by unauthorized parties as they traverse the Internet. Should we receive an e-mail from you, we will assume that we are entitled to respond by e-mail. If this is not the case, we must ask you to use a different means of communication.

The data are erased as soon as it is no longer required for the purpose for which it was collected. For the personal data from the entry window of the contact form and those that have been transferred by e-mail, this is deemed to be the case when the relevant conversation with the user has been concluded. A conversation is deemed to have been concluded if it is apparent from the circumstances that the matter in question has been definitively clarified. If you apply for membership and your application is denied, the data are deleted after 90 days.

The legal basis for the processing of these data are points (b) and (f) of Article 6(1) GDPR

Member area

You have the option to use the protected member area of our website. Data concerning our members are collected, processed, and/or used for the specific purposes of administration and communication with members. You can voluntarily upload information to your profile (such as your interests, a link to your LinkedIn profile, a brief CV, or a photo). This information is then also visible to all other members (but only members).

We will store your data for the duration of your membership and the storage periods that apply beyond that. The legal basis for the processing of this data is point (a) of Article 6(1) GDPR.

 

3. Recipients or categories of recipients to which or whom the data may be communicated

In principle, we do not share your personal data with third parties except where necessary to perform a contract, where we have or the third party has a legitimate interest in disclosure, where you have given consent, or where so doing is necessary in order to fulfill a legal obligation. In particular, we may disclose personal data to a third party

  • if we are obligated to do so in the individual case based on statutory stipulations or as a result of enforceable orders issued by any government agency or court;
  • in connection with legal disputes (to courts or our attorneys) or audits (to auditors);
  • in connection with possible criminal acts, to the authorities responsible for investigating these; and
  • in the event that the business is sold (to the purchaser).

If and insofar as data are regularly transferred to further third parties, this is explained in these data protection and privacy provisions. In the case of transfers based on consent, this will also be done when the consent is obtained.

Further recipients of personal data may include external contractors (for example, for the purpose of issuing invitations to events or for website hosting). These contractors undertake a contractual obligation not to share the personal data with third parties, to use them only to fulfill the relevant purpose, and to erase them immediately thereafter unless the statutory retention periods (for accounting purposes, for example) conflict with so doing.

 

4. International data transfers

We also share personal data with third parties or processors based in non-EEA countries. In this case, we ensure before disclosing the data that an adequate level of protection exists at the recipient’s end (for example, based on an adequacy decision by the European Commission with regard to that country in accordance with Article 45 GDPR or an agreement with the recipient on what are known as the EU standard contractual clauses as adopted by the European Commission pursuant to Article 46 GDPR) or that our users have given their express consent.

 

5. Standard time limits for erasure of data

We store your data as long as necessary in order to provide our online services or as long as we have a legitimate interest in continued storage thereof. In all other cases, we erase your personal data with the exception of data we are required to retain (invoices, for example) in order to observe statutory retention periods (under tax or commercial law, for example).

 

6. Are you obligated to provide us with personal data?

In principle, you are not obligated to provide us with your personal data. However, providing personal data may be necessary in order to use certain services offered on our website, such as registering for the member area or if you use the contact form to submit an inquiry to us. Required information is generally marked with an asterisk (*). If you do not wish to provide the data necessary to this end to us, you will unfortunately be unable to use the services in question.

 

7. Cookies

When you visit our website, we will show you a “cookie banner.” There are two reasons for this. First, we do this to let you know we use cookies and other tracking technologies. Second, it allows you to set your cookie preferences and object to the use of cookies. The data processing associated with this is described in detail in this section. As noted in the cookie banner, you are deemed to have consented to this use if you click the “Accept all” button on the cookie banner. You can withdraw this consent in whole or in part at any time with effect for the future. The text that follows describes the options available to you for doing this in detail.

Like many other websites, we use what are known as cookies. Cookies are small text files that are transferred from a website server to your hard drive. When this happens, we automatically receive certain data, such as IP address, the browser used, operating system, and your Internet connection.

Cookies cannot be used to launch programs or transmit viruses to a computer. We can use the information contained in cookies to make it easier for you to navigate our website and display our Web pages correctly. Certain cookies are automatically erased after the end of your browser session (these are known as session cookies), while others are stored either for a specific period or permanently in the user’s browser and erase themselves after that (these are known as temporary and persistent cookies, respectively). With the exception of essential cookies (which are always required), we use cookies only with your consent. You can grant this consent using our consent management platform (“CMP”) and subsequently withdraw it at any time with effect for the future by configuring your privacy settings.

Of course, you can also view our website without cookies, in principle. Internet browsers are generally set up to accept cookies. In general, you can disable cookies at any time via your browser settings. Please consult your Internet browser’s help functions to learn how to change these settings. Please note that individual features of our website may not work if you have disabled cookies.

 

8. Matomo

Our website uses the Web analytics service Matomo. Matomo is an open source project of InnoCraft Ltd., 150 Willis St., 6011 Wellington, New Zealand, NZBN 6106769. Matomo uses cookies which make it possible to analyze use of the website. To this end, the information on use collected in the cookie (including your truncated IP address) is stored for purposes of analyzing the use of the website if you have given consent. Matomo does not transfer any data to servers lying outside our control. During this process, your IP address is anonymized immediately so you are not identifiable to us as a user. The information collected on your use of this website is not shared with third parties. Our interest in, and the purpose of, the data processing lie in optimizing our website, adjusting the content, and improving what we offer. The anonymization adequately safeguards the interests of users. We use the data collected for statistical analysis of user behavior for the purpose of optimizing the functionality and stability of the website and for marketing purposes.

The legal basis for the use of Matomo is your consent pursuant to point (a) of Article 6(1) GDPR. For further information on Matomo, please visit https://matomo.org/privacy/.

 

9. Embedded YouTube videos

We embed YouTube videos on our website. The operator of the software needed for this is Google Ireland Limited, Google Building, Gordon House, 4 Barrow St., Dublin, D04 E5W5, Ireland.

The YouTube content is incorporated in “Privacy Enhanced Mode.” This is done to ensure that YouTube initially does not store any cookies on your device. As a result, YouTube no longer stores any information about visitors as long as you do not watch the video.

If you click the video, your IP address is transferred to YouTube, which means YouTube learns you have watched the video. If you are logged into YouTube or your Google account, this information is also associated with your user account. You can prevent this by logging out of YouTube before accessing the video.

Accordingly, the following data can be collected and processed via YouTube:

  • IP address
  • Referrer URL
  • Device information
  • Videos viewed

The legal basis for this processing is your consent pursuant to point (a) of Article 6(1) GDPR. If you do not want YouTube to collect and process the data mentioned above, you can refuse consent or withdraw it at any time with effect for the future. Data may be transferred to the United States in the context of processing via YouTube. The security of the transfer is ensured via what are known as standard contractual clauses. These clauses guarantee that the processing of personal data is subject to a level of security that corresponds to that set out in the GDPR.

For further information on data protection and privacy with YouTube, please consult the provider’s privacy policy at https://www.google.de/intl/de/policies/privacy/.

 

10. Friendly Captcha 

We use the Friendly Captcha tool on our website. This tool is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany.

The tool is used to prevent automated and abusive queries by so-called "bots". Bots are programs that perform simple, repetitive tasks fully automatically. Their goal can be to attack websites for malicious reasons, collect information and use it for harmful activities. We want to prevent this by using Friendly Captcha. As part of this process, your IP address is collected by Friendly Captcha to send a cryptographic task to your terminal. This task is solved in the background and once solved, Friendly Captcha sends a confirmation to the server that this is a natural person.

Friendly Captcha processes and stores the following data in the above process

  • Anonymized IP address of the requesting computer.
  • Information about the used browser and operating system
  • Anonymized counter per IP address to control the cryptographic tasks
  • Web page from which the access was made (so-called referrer URL)

The data is used for protection against bots. The legal basis for the processing is the legitimate interest according to Art. 6 (1) f) GDPR to prevent abusive access or spam attacks by bots. If personal data is processed when using Friendly Captcha, it will be deleted after 30 days.

More information is available at https://friendlycaptcha.com/de/privacy 

 

11. Datawrapper

We embed interactive visualizations (graphs, statistics, charts, etc.) on our website that we created using the service Datawrapper (Datawrapper GmbH, Raumerstraße 39, 10437 Berlin). Datawrapper does not perform any tracking, user profiling, advertising or data trading based on the visualizations we embed. No cookies or other identifiers are set by the visualizations we embed. Datawrapper processes - but does not store - your IP address when you view a visualization. This data transfer is required for any normal website visit.

For more information about Datawrapper's privacy policy, please visit https://www.datawrapper.de/privacy

 

12. Highcharts 

We use functions of the service Highcharts (Sentrumsgata 44, 6893 VIK I SOGN, Norway) on our website. When you access our website on which such HTML code from Highcharts is integrated, your browser connects to the Highcharts servers. The content of the HTML code is transmitted directly to the browser, which processes it on the page you are visiting. The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the optimization of our website. You can find more information on data protection at Highcharts at https://www.highcharts.com/blog/privacy/.

Since the application of the GDPR has been binding for the EEA states Iceland, Liechtenstein and Norway by decision of the EEA Joint Committee of July 6, 2018 (No. 154/2018), these countries no longer count as third countries within the meaning of the GDPR. Data transfers within these countries and between these countries and the EU Member States are subject to the same requirements as data transfers within the EU Member States.

 

13. Links to LinkedIn and Twitter

Our website uses the logo (no plug-ins) of the social network LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland). If you click the logo, you will be redirected to our LinkedIn account. Since this is purely a link and not a plug-in, no data can be read out as in the case of a plug-in.

Our website uses the logo (no plug-ins) of the microblogging service Twitter (Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA). If you click the logo, you will be redirected to our Twitter account. Since this is purely a link and not a plug-in, no data can be read out as in the case of a plug-in.

 

14. Data security

We have taken measures to protect your personal data against accidental loss and unauthorized access, use, modification, and disclosure. To protect the security of your data during transmission, we use state-of-the-art encryption methods (such as SSL) via HTTPS.

 

15. Your rights

You can contact us free of charge if you have any questions regarding the collection, processing, or use of your personal data. This also encompasses – to the extent applicable and justified and where no statutory retention obligation or other rights conflict with this claim – the rights of rectification, data portability, erasure, restriction, objection or withdrawal of the consent that has been granted. You also have the right to lodge a complaint with the supervisory authority. The supervisory authority with jurisdiction over you depends on the state of your residence, place of work or place of the alleged infringement. For a list of supervisory authorities (for the non-public sector), including addresses, please click here. Alternatively, you can also contact the data protection authority with jurisdiction over us, which is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
poststelle@lda.bayern.de

Amendments to our data protection and privacy provisions

We reserve the right to adjust this data protection and privacy statement to ensure that it is always in accordance with the current legal requirements or to implement changes in our services in the data protection and privacy statement, for example, if and when new services are introduced. The new data protection and privacy statement then applies to your next visit. You can see when this data protection and privacy statement was last updated at the start of the statement.

Questions about data protection and privacy

If you have questions about data protection and privacy, please write us an e-mail at privacy@nim.org.