ASPAG takes the protection of personal data very seriously. We want you to know when we
store data, which types of data are stored and how it is used. As an incorporated entity
under German civil law, we are subject to the provisions of the EU General Data
Protection Regulation (GDPR) (refer to https://gdpr-info.eu/), the Federal Data Protection
Act (BDSG) and the Telemedia Act (TMG). We have taken technical and organisational
measures to ensure our compliance and the compliance of external service providers with
the data protection regulation.

This website uses SSL – that is, TLS encryption – in order to protect the transfer of
personal data and other confidential information (for example, orthe controller). A connection is encrypted if you see the character sequence ‘https://’ and the padlock icon in your browser’s address bar.

I. Name and address of the controller

The controller in the meaning of the General Data Protection Regulation, other national
data protection laws in the Member States and related data protection regulations is:

ASPAG-Contact

II. Name and address of the data protection officer

The controller’s appointed data protection officer is:

ASPAG-Contact

III. Definition of terms

Among others, we use the following terms in this Privacy Policy, set out in the General
Data Protection Regulation and the Federal Data Protection Act:

1. Personal data

Personal data refers to any information relating to an identified or identifiable natural
person (hereinafter: ‘data subject’). An identifiable natural person is one who can be
identified – directly or indirectly – in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity
of that natural person.

2. Data subject

A data subject is any identified or identifiable natural person whose personal data is
processed by the controller.

3. Processing

Processing is any operation or set of operations performed on personal data or on sets of
personal data – whether or not by automated means – such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, deletion or destruction.

4. Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.

5. Profiling

Profiling means any form of automated processing of personal data consisting of the use
of personal data to evaluate certain personal aspects relating to a natural person, in
particular to analyse or predict aspects concerning that natural person’s performance at
work, economic situation, health, personal preferences, interests, reliability, behaviour,
location or movements.

6. Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject without the use of
additional information, provided that such additional information is kept separately and is
subject to technical and organisational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person.

7. Controller or data processing controller

Controller or data processing controller means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for by Union or Member State law.

8. Processor

Processor means a natural or legal person, public authority, agency or other body that
processes personal data on behalf of the controller.

9. Recipient

Recipient means a natural or legal person, public authority, agency or another body, to
which the personal data are disclosed, whether a third party or not. However, public
authorities that may receive personal data in the framework of a particular inquiry in
accordance with Union or Member State law shall not be regarded as recipients.

10. Third party

Third party means a natural or legal person, public authority, agency or body other than
the data subject, controller, processor and persons who, under the direct authority of the
controller or processor, are authorised to process personal data.

11.Consent

Consent of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or her.

IV. General information on data processing

1. Scope of processing of personal data

We process personal data concerning our users exclusively to the extent required to
provide a functioning website, as well as our content and services. Ordinarily, we will only
process the personal data of our users after obtaining their consent. An exception to this
rule is where obtaining prior consent is factually impossible and the processing of the data
is permitted by law.

2. Legal grounds for the processing of personal data

Where we obtain consent from the data subject for the processing of personal data, the
legal grounds are set out in Art. 6, paragraph 1, part (a) of the EU General Data Protection
Regulation (GDPR).

Where personal data is processed for the performance of a contract in which the data
subject is a contractual partner, the legal grounds are set out in Art. 6, paragraph 1, part
(b) of the GDPR. This also applies to processing that is necessary for pre-contractual
measures.

Where personal data is processed for compliance with a legal obligation to which our
research centre is subject, the legal grounds are set out in Art. 6, paragraph 1, part (c) of
the GDPR.

Where processing of personal data is necessary for the protection of vital interests of the
data subject or another natural person, the legal grounds are set out in Art. 6, paragraph
1, part (d) of the GDPR.

Where processing is necessary for the legitimate interests of our research centre or a third
party, and where the fundamental rights and freedoms of the data subject do not override
the first interests, the legal grounds are set out in Art. 6, paragraph 1, part (f) of the GDPR.

3. Data deletion and duration of data storage

The personal data of the data subject will be deleted or blocked as soon as the purpose of
storage no longer applies. In addition, storage takes place if authorised by Union or
Member State directives, laws or other regulations to which the controller is subject.
Blocking or deletion of the data shall also take place when a storage period stipulated by
one of the above standards comes to an end, except where it is necessary to continue
storing the data to enter into or perform a contract.

V. Provision of the website and generation of log files

1. a) Description and scope of data processing

Our system automatically collects data and information from the accessing computer
system each time our website is visited.

The following data is collected in this context:

1. Information about the browser type and version
2. The user’s operating system
3. The user’s Internet Service Provider
4. The user’s IP address
5. The date and time of access
6. Referrer website(s)
7. Websites accessed by the user from our website

The data is also stored in log files kept on our system. This data is not stored together with

1. b) Legal grounds for data processing

The legal grounds for temporary storage of the data and log files are set out in Art. 6,
paragraph 1, part (f) of the EU General Data Protection Regulation (GDPR).

1. c) Purpose of data processing

Temporary storage of the IP address by our system is necessary to deliver the website to
the computer of the user. For this purpose, the user’s IP address must be stored for the
duration of the session.

Storage in log files takes place to ensure functionality of the website. In addition, the data
is used to optimise the website and to ensure security of our Information Technology
systems. Data analysis for marketing purposes does not take place in this context.

The ASPAG website collects a variety of general data and information each time it is
accessed by a data subject or an automated system. This general data and information is
stored in server log files. The data and information collected include the (1) browser types
and versions; (2) the operating system used by the accessing system; (3) the website
from which the accessing system arrives on our website (the referrer); (4) the sub-pages
visited by the accessing system; (5) the date and time of accessing our website; (6) an
Internet Protocol address (IP address); (7) the Internet service provider of the accessing
system and (8) other similar data and information that is used to protect against risks in
the case of attacks on our Information Technology systems.

ASPAG does not draw any conclusions about the identity of the data subject during use of
this general data and information. Instead, this information is necessary to (1) deliver the
contents of our website in their correct form; to (2) optimise the contents of our website
and promote it; to (3) guarantee the permanent functionality of our information technology
systems and equipment used for our website; and to (4) provide the information necessary
for law enforcement organisations to investigate cyber-attacks. This anonymous data and
information is analysed by ASPAG, firstly for statistical purposes, and secondly with the
objective of increasing data protection and data security at our research centre, and hence
to achieve an optimum level of protection for the personal data processed by us. The
anonymous data contained in the server log files is stored separately from all other
personal data concerning the data subject.

These purposes justify our legitimate interests in data processing according to Art. 6,
paragraph 1, part (f) of the GDPR.

1. d) Duration of storage

The data is deleted as soon as it is no longer needed for the purpose for which it was
collected. In the case of data collection for the provision of this website, this applies at the
end of each session.
In the case of data stored in log files, this occurs after no longer than seven days. Further
storage is possible; in these cases, the users’ IP addresses are deleted or pseudonymised
to prevent any association with the accessing client.

1. e) Right to objection and removal

The collection of data for the provision of our website and the storage of data in log files is
crucial to operation of the website. Hence, users are not granted a right to object.

VI. Email contact

1. a) Description and scope of data processing

It is possible to contact us using the email address provided. The personal data of the
user transferred with the email will be stored in this case.
The data is not transferred to third parties in this context. The data is used exclusively for
processing the correspondence.

1. b) Legal basis for data processing

The legal basis for processing of the data in the event that consent has been received
from the user is set out in Art. 6, paragraph 1, part (a) of the EU General Data Protection
Regulation (GDPR).

The legal basis for processing of the data sent to us by email is set out in Art. 6,
paragraph 1, part (f) of the GDPR. Where email contact is established with the intention of
entering into a contract, additional legal bases for the processing are set out in Art. 6,
paragraph 1, part (b) of the GDPR.

1. c) Purpose of data processing

We use the personal data you provide in the contact form exclusively to process your
enquiry. In the case of contact by email, this represents our necessary, legitimate interest
in data processing.

Any other personal data that is processed when you send us the contact form is used to
prevent abuse of the contact form and to protect the security of our Information

1. d) Duration of storage

The data is deleted as soon as it is no longer needed for the purpose for which it was
collected. For personal data entered in the input screen of the contact form and personal
data sent to us by email, this is the case when correspondence with the user has come to
an end. A conversation has come to an end when the circumstances indicate that the
relevant matter has been dealt with definitively.

Any additional personal data collected during the sending process will be deleted after a
maximum of seven days.

1. e) Right to objection and removal

The user is entitled to revoke their consent to the processing of personal data at any time.
The user may object to the processing of personal data at any time by contacting
ASPAG. Correspondence will be discontinued in these cases.

All personal data stored in connection with contacting us will be deleted in this case.

VII. Rights of the data subject

Where personal data concerning you is processed, you are the data subject as defined in
the EU General Data Protection Regulation (GDPR) and you have the following rights with
respect to the controller:

1. a) Right to information

You have the right to obtain from the controller confirmation of whether personal data
concerning you is processed by us.

Where such processing takes place, you have the right to obtain the following information
from the controller:

  • the purposes for which the personal data is processed;
  • the categories of personal data that is processed;
  • the recipients, or categories of recipients to whom the personal data relating to you has
    been or will be disclosed;
  • the planned duration of storage of the personal data concerning you, or the criteria
    applied to defining the duration of storage if precise information in this regard is not
    available;
  • the existence of a right to correction or deletion of the personal data concerning you,
    the right to restrict processing by the controller or the right to object to this processing;
  • the right to lodge a complaint with a supervisory authority;
  • all information available concerning the origins of the data if the personal data was not
    collected from the data subject;
  • the existence of an automated decision-making process, including profiling, according
    to Art. 22 paragraphs 1 and 4 of the GDPR and – at least in these cases – meaningful
    information on the logic and implications involved, as well as on the intended effects of
    this kind of processing on the data subject;
  • You also have the right to obtain information on whether the personal data concerning
    you has or will be transferred to a third country or to an international organisation. In
    this regard, you are entitled to request information on the appropriate guarantees in
    place with regard to this processing in accordance with Art. 46 of the GDPR.


The controller will provide a copy of the personal data that is subject to processing. Where
you request additional copies, the controller is entitled to charge an appropriate fee based
on administrative costs. If you place the application by electronic means, the information
will be made available in a standard electronic format, except where otherwise specified
by you. The right to receive a copy in accordance with paragraph 3 of this section must
not adversely affect the rights and freedoms of other persons.

1. b) Right to correction

As a data subject, you have the right to request from the controller the correction of
inaccurate personal data concerning you without undue delay. Taking into account the
purposes of the processing, you have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.

1. c) Right to limit processing

  • You have the right to request from the controller restriction of processing of personal data
    concerning you under the following conditions:
  • where the accuracy of the personal data is contested by you, for a period enabling the
    controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the deletion of the personal data, and
    instead request the restriction of its use;
  • the controller no longer needs the personal data for the purposes of the processing,
    but it is required by you for the establishment, exercise or defence of legal claims; or
  • if you have objected to processing pursuant to Art. 21, paragraph 1, of the GDPR,
    pending the verification of whether the legitimate reasons of the controller override
    your reasons.

Where processing of the personal data concerning you has been restricted, such personal
data shall, with the exception of storage, only be processed with your consent or for the
establishment, exercise or defence of legal claims or for the protection of the rights of
another natural or legal person or for reasons of important public interest of the Union or
of a Member State.

Where you have obtained restriction of processing under the conditions set out above, you
will be informed by the controller before the restriction of processing is lifted.

1. d) Right to deletion

Obligation to delete

You have the right to request the controller to delete personal data concerning you without
undue delay, and the controller will be obliged to delete personal data immediately where
one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which it was
    collected or otherwise processed;
  • you withdraw consent on which the processing is based according to part (a) of Art. 6,
    paragraph 1, or part (a) of Art. 9, paragraph 2 of the GDPR, and there is no other legal
    basis for the processing;
  • you object to the processing pursuant to Art. 21, paragraph 1 of the GDPR and there
    are no overriding legitimate grounds for the processing, or you object to the processing
    pursuant to Art. 21, paragraph 2 of the GDPR;
  • the personal data concerning you has been unlawfully processed;
    the personal data has to be deleted to comply with a legal obligation under a Union or
    Member State law to which the controller is subject;
  • The personal data concerning you has been collected in relation to the offer of
    information society services referred to in Art. 8, paragraph 1 of the GDPR.

Information to third parties


Where the controller has made the personal data concerning you public and is obliged
pursuant to Art. 17, paragraph 1 of the GDPR to delete the personal data, the controller,
taking account of available technology and the cost of implementation, is required to take
reasonable steps, including technical measures, to inform controllers who are processing
the personal data that you have requested to be deleted by such controllers, as well as
any links to, copies or replications of such personal data.

Exceptions

The right to deletion does not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation under Union or Member State law to which the
    controller is subject or for the performance of tasks carried out in the public interest or
    in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with parts (h)
    and (i) of Art. 9, paragraph 2 and Art. 9, paragraph 3 of the GDPR;
  • for archiving purposes in the public interest, for scientific or historical research
    purposes or for statistical purposes in accordance with Art. 89, paragraph 1 of the
    GDPR, insofar as the rights referred to in section (a) are likely to render impossible or
    seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.


1. e) Right to notification

Where you have exercised the right to correction, deletion or restriction of processing with
the data controller, the data controller shall be obliged to notify all recipients to whom the
personal data concerning you was disclosed of this correction or deletion of data or of the
restriction of processing, except where compliance proves to be impossible or is
associated with a disproportionate effort.


In addition, you are entitled to require that the data controller inform you about these
recipients.

1. f) Right to data portability

You have the right to receive the personal data concerning you, which you have provided
to the controller, in a structured, commonly used and machine-readable format and have
the right to transfer that data to another controller without hindrance from the controller to
which the personal data have been provided, where:

  • the processing is based on consent pursuant to part (a) of Article 6, paragraph 1 or
    part (a) of Article 9, paragraph 2 of the GDPR or in a contract pursuant to part (b) of
    Art. 6, paragraph 1 of the GDPR; and
  • the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have the personal data
concerning you transmitted directly from one controller to another, where technically
feasible. This must not adversely affect the rights and freedoms of other persons.

The right to data portability does not apply to processing that is necessary for the
performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller.

1. g)Right to object

You have the right to object, at any time, on grounds relating to your particular
situation, to the processing of personal data concerning you, which is based on
parts (e) or (f) of Art. 6, paragraph 1 of the GDPR; this includes profiling based on
those provisions.

The controller shall no longer process the personal data concerning you, unless the
controller demonstrates compelling legitimate grounds for the processing which
override your interests, rights and freedoms or for the establishment, exercise or
defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes,
you have the right to object, at any time, to the processing of personal data
concerning you for the purpose of such marketing. This applies also to profiling to
the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data
will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding
directive 2002/58/EC, you may exercise your right to object by automated means
that use technical specifications.

Where personal data is processed for scientific or historical research purposes or
for statistical purposes pursuant to Art. 89, paragraph 1 of the GDPR, you have the
right, on grounds relating to your particular situation, to object to processing of
personal data concerning you, except where the processing is necessary for the
performance of a task carried out for reasons of public interest.

Should you wish to exercise your right to withdraw consent or to object, please
send an email to ASPAG.

1. h) Right to withdraw consent pursuant to Art. 7, paragraph 3 of the GDPR

You have the right to withdraw your consent to the processing of data at any time, with
future effect. In the event that you withdraw consent, we will delete the data concerned
immediately, except where processing can be based on legal grounds that do not require
consent. The withdrawal of consent will not affect the lawfulness of processing carried out
prior to withdrawal of consent.

1. i) Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing,
including profiling, which produces legal effects for you or similarly significantly affects
you.

This does not apply if the decision:

  • is necessary for entering into, or performance of, a contract between you and the data
    controller;
  • is authorised by Union or Member State law to which the controller is subject and
    which also contains suitable measures to safeguard your rights, freedoms and
    legitimate interests; or
  • is based on your explicit consent.

However, these decisions must not be based on special categories of personal data
referred to in Art 9, paragraph 1 of the GDPR, unless parts (a) or (g) of Art. 9, paragraph 2
of the GDPR applies and suitable measures to safeguard your rights, freedoms and
legitimate interests are in place.

In the cases referred to in parts (1) and (3), the data controller is required to implement
suitable measures to safeguard your rights, freedoms and legitimate interests, including at
least the right to obtain human intervention on the part of the controller, to express your
own point of view and to contest the decision.

1. j) Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to
lodge a complaint with a supervisory authority, in particular in the Member State of your
normal residence, you place of work or the place of the alleged infringement, if you
consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged is required to inform
the complainant on the progress and the outcome of the complaint, including the
possibility of a judicial remedy pursuant to Article 78.