1. Controller and legal basis
The controller pursuant to Article 4(7) of the EU General Data Protection Regulation (EU GDPR) is:
Toni Kroos Foundation
Luxemburger Str. 311
D-50354 Hürth, Germany
Phone: +49(0)30 29684245
Telefax: +49(0)30 29684246
E-Mail : kontakt(at)tonikroos-stiftung.de / Internet: www.tonikroos-stiftung.de
2. Data protection officer
Mr. Armin Mauritz is responsible for the monitoring of and compliance with data protection.
He will be pleased to provide you with further information on data protection at the following contact details:
3. What are personal data?
Personal data are specific information about personal or factual characteristics relating to an identified or identifiable natural person (data subject). This includes information such as your name, address, telephone number, date of birth or e-mail address. Any information which we are unable to relate to you (or only with disproportionate effort), e.g. by anonymising the information, is not personal data.
4. General information on data processing
We collect and use our users’ personal data only if this is necessary to provide a functioning website as well as to provide our content and services. We use your personal data to carry out online donations, to set up personal fundraising campaigns, to answer your questions, to operate and improve our web pages and applications, and to provide further information about the work of and/or use of donations made to the Toni Kroos Foundation. In addition, we collect personal data from applicants as part of the aid projects requested.
Otherwise, your data will only be passed on to other third parties if we are legally obliged to do so.
The personal data mentioned herein will be deleted upon expiry of the legal retention periods.
4.2. Legal basis
Insofar as we obtain the consent of the data subject to process personal data, Article 6(1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for processing of personal data.
When processing personal data in order to fulfil a contract or another legal agreement to which the data subject is a party is necessary, Article 6(1) lit. b GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual procedures.
Insofar as the processing of personal data is required to fulfil a legal requirement to which our company is subject, Article 6(1) lit. c GDPR serves as the legal basis. Should vital interests of the data subject or another natural person require to process personal data, Article 6(1) lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interests, Article 6(1) lit. f GDPR serves as the legal basis for processing.
The personal data of the data subject are deleted or blocked as soon as the reason for storage no longer applies.
Data may also be stored if this is provided for by European or national legislatures in EU regulations, legislation or other regulatory provisions to which the controller is subject. Data are also blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for continued storage of the data in order to conclude or to fulfil a legal agreement.
5. Individual processing operations
You may use a large part of our website without providing personal data. For the informational use of our web pages, we only record the personal data that your Internet browser automatically transmits to us, such as:
- IP address
- date and time of the request
- time zone difference to Greenwich Mean Time (GMT)
- content of the request (specific page)
- the amount of data transferred and the access status (file transferred, file not found, etc.)
- website from which the request comes
- browser type / version / language
- operating system and its interface
- language and version of the browser software
These data are evaluated exclusively for the improvement of our offer and do not allow any conclusions to your person.
If you wish to make use of services offered by us on our website, such as ordering a newsletter, etc., it is necessary that you provide further data for this purpose. For details, refer to the description of the specific data processing operations below. In particular, personal data are used as follows:
Providing the website and developing log files
Every time you visit our website, our system automatically records data and information from the computer system of the user calling our site. The following data will be collected:
Web pages called up by the user’s system through our website
The log files contain IP addresses or other data that allow an assignment to a user. This may be the case, for example, if the link to the website from which the user is directed to the site or the link to the website to which the user navigates involves personal data. The data are also stored in the log files of our system for the duration of the session and anonymised after the end of the session. These data are not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Article 6(1) lit. f GDPR.
The system needs to store the IP address temporarily in order to transmit the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The data are stored in log files in order to ensure the functionality of the website. We also use the data to optimise the website and to ensure that our information systems are secure. The data are not evaluated for marketing purposes in this context.
These purposes also include our legitimate interest in data processing in accordance with Article 6(1) lit. f GDPR.
The data are anonymised as soon as they are no longer needed to achieve the purpose they were collected for. If the data were recorded to make the website available, this is the case when each session is terminated. Recording data in order to make the website available and storing the data in log files is absolutely necessary in order to operate the website. Users therefore have no opportunity to object to this.
Conclusion of online donations / payment services and payment procedures
Our website offers users the opportunity to make an online donation by entering their personal data. The data are entered into an input mask and transmitted to us where they are stored. The following data will be collected as part of the donation process:
first name, last name,
company and additional address, if applicable,
street, house number, postcode, city
payment data (credit card data, PayPal data, bank details)
For the processing of payments, we pass on your payment data to the financial institution or payment service commissioned with the payment or, if applicable, to the payment service provider commissioned by us. These companies are allowed to use your data only for order processing and not for any other purposes.
The data entered are stored on the Internet provider's server and transmitted to the operator of our donors' database using a secure connection. We use the data provided by you for the purpose of processing your donation, exclusively for internal statistical market research and sending out your donation receipts, unless you expressly object to this.
In order to subscribe to our e-mail newsletter service, we require not only your consent under data protection law but also at least your e-mail address to which the newsletter is to be sent. Any further information is provided voluntarily and will be used to contact you personally, to create the content of the newsletter and to be able to clarify any queries regarding your e-mail address.
We use the so-called double opt-in procedure for sending newsletters, i.e. we will only send you our newsletter once you have previously confirmed your registration by means of a confirmation e-mail sent to you for this purpose using a link contained therein. This is to ensure that only you as owner of the given e-mail address can subscribe to the newsletter. Your confirmation must be sent shortly after receipt of the confirmation e-mail, otherwise your newsletter subscription will be automatically deleted from our database.
You may unsubscribe from a newsletter you have subscribed to at any time by clicking on the respective link at the end of the newsletter.
When you contact us by e-mail or using a contact form, the data you provide (your e-mail address, if applicable, your name and your telephone number) will be stored by us in order to respond to your questions. We delete the data generated in this context once storage is no longer necessary or restrict processing if there are statutory retention requirements.
Otherwise, your data will only be passed on to other third parties if we are legally obliged to do so.
If you do not consent to the storage and evaluation of this data, you may object at any time. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo / Piwik does not collect any session data.
7. Safeguards to protect the data stored by us
We undertake to protect your privacy and to treat your personal data confidentially. In order to prevent the loss or misuse of data stored by us, we have implemented extensive technical and organisational safeguarding measures, which are regularly reviewed and adapted to technological progress.
However, we would like to point out that due to the structure of the Internet, it is possible that the data protection rules and the above-mentioned safeguards may not be observed by third parties or institutions which are not within our area of responsibility. In particular, unencrypted data - e.g. if such data are provided by e-mail - may be read by third parties. This is beyond our technical control. It is the responsibility of the user to protect the data provided by him from misuse by encryption or in any other way.
8. Hyperlinks to third-party websites
Our website contains so-called hyperlinks to websites of other providers. When you activate these hyperlinks, you will be redirected from our website directly to the websites of other providers. You may recognize this by the change of the URL. We do not assume any responsibility for the confidential processing of your data on these third-party websites, as we have no influence on whether these companies adhere to the data protection regulations. You may find information about the use of your personal data by these companies directly on such third-party websites.
9. Consent and withdrawal / objection
You may have explicitly consented to the following.
We would like to point out that in general you may revoke your consent at any time with effect for the future and may also object to the processing and use of your data for advertising purposes at any time: For this purpose, please use the following contact: kontakt(at)tonikroos-stiftung.de, phone: +49(0)30 29684245
a) Permission to send e-mail advertisements / newsletters
By entering my data and by clicking on the respective icon, I consent to receiving the newsletter on a regular basis. I may unsubscribe from the newsletter service at any time by clicking the "Unsubscribe" link at the end of the newsletter.
I may revoke my consent to the recording of other personal data collected during the registration process at any time.
b) Consent when sending a contact form
By entering your personal data you agree that we are allowed to use your data for processing your request and for information purposes. You may object to the use of your data by contacting us by phone on +49 (0)30 29684245 or by e-mail to kontakt(at)tonikroos-stiftung.de. Your data will only be used by us and our service providers.
10. Your rights as data subject
If personal data concerning you is processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and you are entitled to the following rights from the controller:
10.1. Right of access
You have the right to obtain confirmation from the controller as to whether or not we process personal data concerning you. If such processing has been performed, you may request the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
- the envisaged period for which the personal data concerning you will be stored or, if specific information on this is not possible, the criteria used to determine the storage period;
- the existence of a right to request rectification or erasure of the personal data concerning you, a right to restriction of processing of personal data concerning the data subject by the controller or a right to object to such processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- any available information on the origin of the data if the personal data are not collected from the data subject;
- the existence of automated decision-making including profiling in accordance with Article 22(1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and envisaged consequences of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this regard, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
10.2. Right of rectification
You have a right to rectification and/or completion with respect to the controller in case the personal data processed concerning you are inaccurate or incomplete. The controller is obliged to correct the data concerned immediately.
10.3. Right to restriction of processing
Under the following conditions, you may request that the processing of your personal data is restricted:
- if you dispute the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
- the controller no longer needs the personal data for the purposes of the processing but you will need them to establish, exercise or defend legal claims, or
- if you have filed an objection to the processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such personal data are only allowed to be processed - apart from being stored - with your consent or in order to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State. If the restriction of processing has been obtained pursuant to the above conditions, you will be informed by the controller before the restriction is lifted.
10.4. Right to erasure
a) Duty to erase
You have the right to request the controller to erase the personal data concerning you without undue delay and the controller has the obligation to erase such data without undue delay if one of the following grounds applies:
- The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is based according to Article 6(1) lit. a or Article 9(2) lit. a GDPR, and there is no other legal basis for the processing.
- You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The personal data concerning you have to be erased for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data concerning you have been collected in relation to information society services offered pursuant to Article 8(1) GDPR.
Information to third parties
Where the controller has made the personal data concerning you public and is obliged to delete it pursuant to Article 17(1) GDPR, the controller takes all reasonable steps, including technical measures, taking into account the available technology and the implementation costs, to inform controllers who are processing the personal data that you as the data subject have requested that they erase any links to such personal data or of copies or replications of such personal data.
The right to erasure does not exist insofar as the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Article 9(2) lit. h and i as well as Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in lit. a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
- for the establishment, exercise or defence of legal claims.
10.5. Right of notification
If you have exercised your right of rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of personal data or any restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to request from the controller to be informed of such recipients.
10.6. Right to data portability
You have the right to receive the personal data concerning you, that you have provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6(1) lit. a GDPR or Article 9(2) lit. a GDPR or on a contract pursuant to Article 6(1) lit. b GDPR and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you be transferred directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of others must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
10.7. Right to object
You have the right to object at any time to the processing of your personal data concerning you based on Article 6(1) lit. e or lit. f. GDPR on grounds relating to your particular situation, including profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves to establish, exercise or defend legal claims.
10.8. Right to withdraw the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. Such withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
10.9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar manner. The foregoing shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and the controller;
- is authorised by Union or Member State law to which the controller is subject and where such law lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
- is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2) lit. a or g applies and suitable measures have been taken to safeguard your rights and freedoms and your legitimate interests.
In the cases referred to in (1) and (3), the controller implements suitable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the human intervention on the part of the controller, to express his or her point of view and to contest the decision.
11. Legal basis of data processing
In the following, you will find an overview of the legal bases that apply to the processing of your data in accordance with data protection law.
Your browser automatically informs us about the processing of your data, which is done in our interest of being able to show you the web pages at all.
- Article 6(1) lit. f) General Data Protection Regulation (GDPR)
Processing is necessary for the performance of a contract to which the data subject is a contracting party or for the execution of pre-contractual measures taken at the request of the data subject.
- Article 6(1) lit. b) General Data Protection Regulation (GDPR)
Our newsletter will be sent to you on the basis of your personal consent.
- Article 6(1) lit. a) General Data Protection Regulation (GDPR)
You may withdraw your consent at any time and thereby unsubscribe from the newsletter, see also chapter Newsletter.
Web analysis, usage-based online advertising and integration of external services
We analyse the user behaviour of our visitors in our own interest for the purposes of advertising, market research or the design of our web pages tailored to users’ needs.
- Article 6(1) lit. f) General Data Protection Regulation (GDPR)
12. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes any GDPR provisions. The competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg (State Commissioner for Data Protection and Freedom of Information Nordrhein-Westfalen): To the complaint form