Data Protection Information

for the Website www.vgp.de/en-uk

We, the Verlagsgruppe Passau GmbH, provide our website under the web address www.vgp.de/en‐uk.
In context with the website and the services provided on the website, we process personal data.
The protection of personal data is important to us. We process personal data only in accordance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

In Section A of this Data Protection Information we provide you with information about the controller responsible for the processing of your personal data and the controller’s data protection officer.
In Section B you find information about the processing of your personal data.
In Section D you further find information on your rights regarding the processing of your personal data.
The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation. You will find more detailed information about this in Section E

Table of contents

A.     Information on the controller
I.      Identity and contact details of the controller
II.     Contact details of the controller’s data protection officer
B.     Information on the processing of personal data
I.      Informational use of the website
II.     Use of online contact forms
C.     Information on the rights of data subjects
I.
      Right of access
II.     Right to rectification
III.    Right to erasure („right to be forgotten“)
IV.    Right to restriction of processing
V.     Right to data portability
VI.    Right to object
VII.   Right to withdraw consent
VIII.  Right to lodge a complaint with a supervisory authority
D.     Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information
E.     Effective date of and changes to this Data Protection Information

A. Information on the controller

I. Identity and contact details of the controller

Verlagsgruppe Passau GmbH
Medienstraße 5
94036 Passau

vgp@vgp.de
Phone: +49(0)851/802–0
Fax: +49(0)851/802–401

II. Contact details of the controller’s data protection officer 

Mr. Christian Weiß
Donaukurier GmbH
Stauffenbergstraße 2 a
85051 Ingolstadt

datenschutz@pnp.de
Telefon: +49 841/9666-300

B. Information on the processing of personal data 

I. Informational use of the website

When the use of the website is purely informational, certain information, for example your IP address, is sent to our server by the browser used on your device for technical reasons. We process this information in order to provide the website content requested by you. To ensure the security of the IT infrastructure used to provide the website, this information is also stored temporarily in what is referred to as a so‐called „web server log file“.

You receive more detailed information on this below:

1. Details on the personal data which are processed

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
HTTP Data. Protocol data which accrue when visiting the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

These include IP address, type and version of your internet browser, operating system used, last site accessed before visiting the site (referrer URL), date and time of visit.
User of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

2. Details on the processing of the personal data

Purpose of processing the personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the website content requested by the user:

For this purpose, data are temporarily processed on our web server.
HTTP Data. No automated decision-making takes place. Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the provision of the website content requested by the user.
Hosting Provider.
Ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored and evaluated in log files on our web server.
HTTP Data. No automated decision-making takes place. Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):
Hosting Provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting Provider
(currently: aligia GmbH)
Processor. EU.

II. Use of online contact forms

We offer you the possibility on the website to contact us using contact forms. We process the information provided by you in the contact forms to process your request. Where applicable, we also store the information for evidence purposes for any assertion, exercise or defence of legal claims or in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

When the contact forms on our website are used certain information, for example your IP address, is for technical reasons sent to our server by the browser used on your device. We process this information in order to provide the contact forms on our website and to ensure the security of the IT infrastructure used to provide the contact form.

You receive more detailed information on this below:

1. Details on personal data which are processed

Categories of personal data processed Personal data included in the categories Sources of the data Obligation to provide the data Storage duration
Contact Form HTTP Data. Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the contact forms on our website are accessed.

These include IP address, type and version of your internet browser, operating system used, site accessed before visiting the site (referrer URL), date and time of the visit.
User of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot provide the requested website content.
Data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.
Contact Form Data. Data you provide us with in contact forms on the website.

These include the information provided to us in the relevant website contact form, in particular your name, date of birth, address, telephone number, email address and the content of your request.
User of the website. Provision is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation to provide the data.

If the data is not provided, we cannot process your request.
Data are stored until your request has been dealt with.

We store these data for evidence purposes for the assertion, exercise or defence of any legal claims and also for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)) (HGB).

We also store the "metadata" of your contact request (sender, recipient, subject, date and time; not the actual message text) in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

In the event of a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

2. Details on the processing of the personal data

Purpose of the processing of personal data Categories of personal data processed Automated decision-making Legal basis and, where applicable, legitimate interests Recipient
Provision of the contact forms on the website.

For this purpose data are processed temporarily on our web server.
Contact Form HTTP Data. No automated decision-making takes place. Article 6 paragraph 1 point (f) of the General Data Protection Regulation) (balancing of interests).

Our legitimate interest is the provision of the website content requested by the user.
Hosting Provider.
Ensuring the security of the IT infrastructure used for the provision of the contact forms, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored and evaluated in log files on our web server.
Contact Form HTTP Data,

Contact Form Data (only sender, recipient, subject, date and time; not the actual message text)
No automated decision-making takes place. Article 6 paragraph 1 point (f) of the General Data Protection Regulation) (balancing of interests).

Our legitimate interest is ensuring the security of the IT infrastructure used to provide the contact forms, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).
Hosting Provider.
Processing of your request. Contact Form Data. No automated decision-making takes place. If your request concerns a contract to which you are party or the performance of pre-contractual measures:

Article 6 paragraph 1 point (b) of the General Data Protection Regulation (performance of a contract to which the data subject is party or steps at the request of the data subject prior to entering into a contract).

Otherwise:

Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests).

In this case, our legitimate interest is the processing of your request.
Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims. Contact Form Data. No automated decision-making takes place. Article 6 paragraph 1 point (f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is assertion, exercise or defence of legal claims.
Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – AO), Sec. 257 German Commerical Code (Handelsgesetzbuch– HGB)).
Contact Form Data. No automated decision-making takes place. Article 6 paragraph 1 point (c) of the General Data Protection Regulation (Compliance with a legal obligation).

3. Details on the recipients of persona data and the transfer of personal data to third countries and/or international organisations

Recipient Recipient’s role Recipient’s location Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations
Hosting Provider
(currently: aligia GmbH)
Processor. EU.

C. Information on the rights of data subjects 

As a data subject, you have the following rights with regard to the processing of your personal data:

• Right of access (Article 15 of the General Data Protection Regulation) 
• Right to rectification (Article 16 of the General Data Protection Regulation)
• Right to erasure („right to be forgotten“) (Article 17 of the General Data Protection Regulation) 
• Right to restriction of processing (Article 18 of the General Data Protection Regulation) 
• Right to data portability (Article 20 of the General Data Protection Regulation) 
• Right to object (Article 21 of the General Data Protection Regulation)
• Right to withdraw consent (Article 7 paragraph 3 of the General Data Protection Regulation) 
• Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)

You may contact us for the purpose of exercising your rights using the contact information in Section A
Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section B of this Data Protection Information.

Below you find more detailed information on your rights with regard to the processing of your personal data: 

I. Right of access

As a data subject, you have a right to obtain access and information under the conditions provided in Article 15 of the General Data Protection Regulation.

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Article 15 paragraph 1 of the General Data Protection Regulation. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Article 15 paragraph 1 points (a), (b) and (c) of the General Data Protection Regulation).

You can find the full extent of your right to access and information in Article 15 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679

II. Right to rectification

As a data subject, you have the right to rectification under the conditions provided in Article 16 of the General Data Protection Regulation.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Article 16 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679

III. Right to erasure („right to be forgotten“)

As a data subject, you have a right to erasure („right to be forgotten“) under the conditions provided in Article 17 of the General Data Protection Regulation.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Article 17 paragraph 1 point (a) of the General Data Protection Regulation).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Article 17 paragraph 2 of the General Data Protection Regulation).

The right to erasure („right to be forgotten“) does not apply if the processing is necessary for one of the reasons listed in Article 17 paragraph 3 of the General Data Protection Regulation. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Article 17 paragraph 3 points (b) and (e) of the General Data Protection Regulation).

You can find the full extent of your right to erasure („right to be forgotten“) in Article 17 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679

IV. Right to restriction of processing

As a data subject, you have a right to restriction of processing under the conditions provided in Article 18 of the General Data Protection Regulation.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18 paragraph 1 of the General Data Protection Regulation applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Article 18 paragraph 1 point (a) of the General Data Protection Regulation).

Restriction means that stored personal data are marked with the goal of restricting their future processing (Article 4 paragraph 3 of the General Data Protection Regulation).

You can find the full extent of your right to restriction of processing in Article 18 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679

V. Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Article 20 of the General Data Protection Regulation.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine‐readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to Article 6 paragraph 1 point (b) of the General Data Protection Regulation and the processing is carried out by automated means (Article 20 paragraph 1 of the General Data Protection Regulation).

You can find information as to whether an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation or on a contract pursuant to Article 6 paragraph 1 point (b) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Article 20 paragraph 2 of the General Data Protection Regulation).

You can find the full extent of your right to data portability in Article 20 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679

VI. Right to object

As a data subject, you have a right to object under the conditions provided in Article 21 of the General Data Protection Regulation.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.

More detailed information on this is given below:

1. Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6 paragraph 1 point (e) or (f), including profiling based on those provisions.

You can find information as to whether an instance of processing is based on Article 6 paragraph 1 point (e) or (f) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2. Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section B of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Article 21 of the General Data Protection Regulation, which can be accessed using the following link: http://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII. Right to withdraw consent

Where an instance of processing is based on consent pursuant to Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation, as a data subject, you have the right, pursuant to Article 7 paragraph 3 of the General Data Protection Regulation, to withdraw your consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on Article 6 paragraph 1 point (a) or Article 9 paragraph 2 point (a) of the General Data Protection Regulation in the information regarding the legal basis of processing in Section B of this Data Protection Information.

VIII. Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Article 77 of the General Data Protection Regulation.

The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht
Postfach 606
91511 Ansbach

poststelle@lda.bayern.de
 +49 (0) 981 53 1300

D. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation.

The full scope of the definitions of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be downloaded from the following link: https://eur‐lex.europa.eu/legal‐content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

“Personal data“

“Personal data“ means any information relating to an identified or identifiable natural person („data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data Subject“

“Data Subject“ means the respective identified or identifiable natural person, to which the personal Data refers to;

“Processing“

“Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Profiling“

“Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“Controller“

“Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

“Processor“

“Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient“

“Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

“Third party“

“Third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

“International organisation“

“International organisation“ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

“Third country“

“Third country“ means a country which is not a member state of the European Union („EU“) or the European Economic Area („EEA“);

“Special categories of personal data“

“Special categories of personal data“ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

E. Effective date of and changes to this Data Protection Information

The effective date of this Data Protection Information is October 10, 2018.

It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.

An up‐to‐date version of this Data Protection Information can be retrieved at any time at www.vgp.de/en‐uk/dataprotection.