Privacy policy in accordance with the Church Law on Data Protection of the Evangelical Church in Germany

The following information provides you an overview of the processing of your personal data when you are visiting our website and your rights as a data subject. As an an evangelical order, we are subject to the Church Law on Data Protection of the Evangelical Church in Germany (hereinafter referred to as “DSG-EKD”). Therefore, all data processing (e.g. collection, processing, and transmission) is carried out in accordance with the applicable stipulations.

1) Name and Address of the Controller

Controller within the meaning of the DSG-EKD and other national data protection laws of the member states, as well as other applicable data protection regulations is:

Johanniterorden
(Balley Brandenburg des ritterlichen Ordens St. Johannis vom Spital zu Jerusalem
Finckensteinallee 111
12205 Berlin
Germany
Tel.: +49 30 2309970-0
E-mail: info@johanniterorden.de
Website: http://www.johanniterorden.de/

2) Contact Details of the Local Data Protection Officer

The local data protection officer of the controller is:

Ms. Cennet Rüzgar-Horoz
PwC Cyber Security Services GmbH
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Germany
E-mail: johanniter-dsb@pwc-cybersecurity.com

3) General Information on Data Processing

3.1. Scope of the Data Processing

We process your personal data only insofar as it is necessary for the provision of a functional website and our content and services. The processing of your personal data is regularly only carried out based on your consent. An exception applies in those cases where obtaining prior consent is not possible for actual reasons and the processing of the data is permitted and/or required by law.

3.2. Legal Basis for the Processing of Personal Data

In the following section, we want to provide an overview about the legal basis for the processing of personal data under the DSG-EKD.

• Consent (§ 6 No. 2 DSG-EKD):
  You have given your informed and voluntary consent to the processing of your personal data;
• Fulfilment of contract and pre-contractual inquiries (§ 6 No. 5 DSG-EKD):
  The processing of the personal data is necessary for the fulfilment of a contract between our order and you, or conducting pre-contractual actions to conclude a contract;
• Legitimate interest (§ 6 No. 4, in conjunction with § 6 No. 8 DSG-EKD):
  The processing is necessary for the purposes of the legitimate interests pursued by our order or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

3.3. Data Deletion and Storage Period

When your personal data is no longer required for the purposes it was processed for, it will be deleted or restricted. We may store your personal data for longer if we are required to do so e.g. by applicable law. Personal data will also be restricted or deleted if a storage period prescribed by the aforementioned provisions expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

3.4. Recipients

As part of the processing of personal data carried out by us, we may use third parties to provide the services described herein. These recipients are web hosters/data centers and software providers used by us, which are all located within the European Union. Contractual agreements on data protection exist with them in accordance with the applicable regulations.

4) Provision of the Website and Creation of Log Files

4.1. Description and Scope of Data Processing

Each time you access our website, our system automatically collects data and information from your computer system. The following data is collected:

1. Information about the browser type and version used;
2. The operating system of the user;
3. The internet service provider of the user;
4. The IP address of the user;
5. Date and time of access;
6. Protocol and log data (technical data such as meta and system data).

Such data is stored in the log files of our system. A storage of this data together with other personal data does not take place.

4.2. Legal Basis for Data Processing

The legal basis for the temporary storage of the data and log files is § 6 No. 4 and No. 8 DSG-EKD.

4.3. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to your computer. For this purpose, it is necessary to keep your IP address stored for the duration of the session. 

These purposes also reflect our legitimate interest in data processing according to § 6 No. 4 and No. 8 DSG-EKD.

4.4. Duration of Storage

The personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In this case, the purpose is achieved, when the respective session has ended.

The data will be stored in log files up to seven days. Storage beyond this period is still possible. However, in this case, your IP address will be deleted or alienated so that it is no longer possible to identify you as the visiting user.

4.5. Possibilities for Objection and Removal

The collection of data for the provision of the website as well as the storage of the data in log files is necessary for the operation of the website. Consequently, there is no possibility for the users to object.

5) Use of Cookies and Third-Party Tools

5.1. Scope of the Processing of Personal Data

We use cookies on our website to ensure you have an optimal website experience. This allows us to make our website work more user-friendly and effectively, save preferences of visitors, conduct marketing activities, measure our website traffic, and implement security features.

Cookies are small text files that are stored on your terminal device by our web application, and which enable us to recognise your internet browser. Most common internet browsers are set to automatically accept cookies. However, you can deactivate this or set your internet browser so that it informs you about the use of cookies. Please note that the functionality of our website can be impaired when you deactivate cookies in your browser.

In general, there are two different kinds of cookies:

• Session Cookies:
  Are only saved on your device until you close your current browser session. 
• Permanent Cookies:
  Are saved on your device until the defined period is reached or you delete them. If not stated otherwise users should assume that the cookie is a permanent cookie.

5.2. Legal Basis for the Use of Cookies

Regarding the legal basis, two types of cookies have to be differentiated: technically necessary cookies and those, which are not technically necessary.

Technically necessary cookies are cookies that are needed for the website’s functionality and cannot be deactivated in your systems. Generally, these cookies are only set in response to actions you take that correspond to a request for service, such as setting your cookie preferences, logging in or completing forms.

5.2.1. Legal Basis for Technically Necessary Cookies.

Technically necessary cookies are saved on and later read from your device based on § 25 (2) No. 2 of the German Telecommunications Telemedia Data Protection Act (hereinafter referred to as “TTDSG”). Any further processing is based on § 6 No. 4 and No. 8 DSG-EKD as it is our legitimate interest to provide you our website as some features or technical functions are not possible without using cookies.

5.2.2. Legal Basis for Optional Cookies

The legal basis for saving and reading optional cookies from you device is your consent according to § 25 (1) TTDSG. Any further processing is based on your consent according to § 6 No. 2 DSG-EKD.

5.3. Purpose of the Processing and Duration of Storage

We are currently only using technically necessary cookies to provide you our website as required by our used website software.

These cookies are:

Cookie	Type	Purpose	Duration of storage
Users Cookie	Permanent	Technically necessary for the login into the WordPress administration and user backend of the website	15 days

5.4 Possibilities for Objection and Removal

Every Browser offers the functionality to delete cookies that are saved on your device. The way of deletion depends on your browser:

• Google Chrome: https://support.google.com/accounts/answer/32050
• Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
• Vivaldi: https://help.vivaldi.com/desktop/privacy/cookies/
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/63947406-40ac-c3b8-57b9-2a946a29ae09

6) E-mail Contact

6.1. Description and Scope of Data Processing

You can contact us via E-mail. In this case, we receive and store your personal data. This includes:

• Your contact information (e.g., first and/or last name, E-mail address)
• Message content

No data will be transmitted to third parties in this context.

Please do not send sensitive data by e-mail, unless it is protected by technical measures as encryption or passwords.

6.2. Legal Basis for the Data Processing

The legal basis for the processing of data transmitted by sending an e-mail is § 6 No. 4 and No. 8 DSG-EKD or, if applicable, § 6 No. 5 DSG-EKD.

6.3. Purpose of Data Processing

The processing of personal data you provide to us by E-mail is solely processed in order to facilitate the electronic communication and to handle your request. This also constitutes a necessary legitimate interest in processing of this data.

6.4. Duration of Storage

Your personal data will be deleted as soon as the purpose of the communication has been achieved, unless legal retention periods prevail.

If the communication can be deemed a business correspondence, we are obliged by the German commercial code to retain the communication for at least 6 years. If the communication is tax related the German Tax Code requires us to retain the data for 10 years.

6.5. Possibility of Objection and Removal

You can object to the storage of your personal data by contacting us by E-mail at any time. In such case, the communication cannot be continued and all personal data will be deleted if we are not legally required to store the communication.

7) Rights of data subjects

If the controller processes your personal data, you as data subject within the context of the DSG-EKD have the following rights:

7.1. Right of Information

You may request a confirmation from the controller whether your personal data is being processed or not.

If such processing is taking place, you may request the controller to provide you with the following information:

1. The purposes for which the personal data is processed;
2. The categories of personal data which are processed;
3. The recipients, or categories of recipients, to whom the personal data concerning you have been or will be disclosed;
4. The planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage period;
5. The existence of a right to rectification or deletion of personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
6. The existence of a right of appeal to a supervisory authority;
7. Any available information about the origin of the data, if the personal data was not collected from the data subject.

You have the right to request information on whether the personal data concerning you is transferred to a third country or to an international organization.

7.2. Right of Correction

You have the right of correction and/or completion against the controller if your processed personal data is inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

7.3. Right to Restrict Processing

You may request the restriction of the processing of your personal data under the following conditions:

1. You contest the accuracy of the personal data concerning you for a period, which enables the controller to verify the accuracy of the personal data;
2. The processing is unlawful, and you object to the deletion of the personal data and request instead the restriction of the use of the personal data;
3. The controller no longer needs the personal data for the purposes of the processing, but you need it for the assertion, exercising, or defense of legal claims; or
4. You have objected to the processing in accordance with § 22 DSG-EKD and it has not yet been determined whether the legitimate interests of the controller override yours.

If the processing of your personal data has been restricted, such data may – apart from being stored – only be processed with your consent or for the assertion, exercising, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for significant reasons of public interest within the Union or a Member State.

If the restriction of processing has been limited in accordance with the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.

7.4. Right of Deletion

1. a) Obligation to Delete

You have the right to request that the controller will delete your personal data without any delay and the controller is obliged to delete this data without any delay if one of the following reasons applies:

1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;
2. You withdraw your consent on which the processing was based in accordance with § 6 No. 2 DSG-EKD or § 13 (2) No. 1 DSG-EKD and there is no other legal basis that legitimized further processing;
3. You object to the processing pursuant to § 25 section 1 DSG-EKD and there are no overriding legitimate interests for the processing, or you object to the processing for the purpose of direct marketing;
4. Your personal data has been processed unlawfully;
5. The deletion of your personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject;
6. Your personal data has been collected in relation to information society services offered in accordance with § 12 DSG-EKD.
7. b) Information to Third Parties

If the controller has made your personal data public and is obliged to delete the data pursuant to § 21 DSG-EKD, the controller shall take reasonable steps, including technical measures, with regards to the available technology and the costs of implementation, to inform other controllers of the deletion that also process your personal data, including all links, copies or replications.

1. c) Exceptions

The right of deletion does not exist insofar as the processing is necessary:

1. For exercising the right to freedom of expression and information;
2. For compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercising of official authority vested in the controller;
3. For reasons of public interest in the area of public health in accordance with § 13 (2) No. 8 and 9 DSG-EKD and § 13 (3) DSG-EKD;
4. For the assertion, exercising, or defense of legal claims.

7.5. Right of Information

If you have asserted the right to rectification, deletion, or restriction of processing against the controller, the controller is obliged to inform all recipients to whom your personal data has been disclosed of this rectification or deletion of data, or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to assert against the controller and to be informed about these recipients.

7.6 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the former controller to whom the personal data has been provided, so long as:

1. The processing is based on consent pursuant to § 6 No. 1 DSG-EKD or § 13 (2) No. 1 or No. 8 DSG-EKD or on a contract pursuant to § 6 No. 5 DSG-EKD; and
2. The processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercising of official authority vested in the controller.

7.7. Right of Objection

You have the right to object at any time, on interests relating to your particular situation, to the processing of personal data concerning you, which is carried out on the basis of § 6 No. 4 or No. 8 DSG-EKD; this also applies to profiling based on these provisions.

The controller shall no longer process personal data concerning you, unless compelling legitimate interests for said processing can be demonstrated, which override your interests, rights, and freedoms, or for the establishment, exercising, or defense of legal claims.

If personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

You have the option, in the context of the use of information society services, notwithstanding Directive 2002/58/EG, to exercise your right to object by means of automated procedures using technical specifications.

7.8. Right to Withdraw the Declaration of Consent under Data Protection Law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out based on the consent until the withdrawal.

7.9. Automated Decision in Individual Cases Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly, significantly affects you. This does not apply if the decision:

1. Is necessary for the conclusion or performance of a contract between you and the controller;
2. Is permissible on the basis of legal provisions of the Union or the Member States, to which the controller is subject, and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
3. Is done with your express consent.

However, these decisions must not be based on special categories of personal data under § 13 (1) DSG-EKD, unless § 13 (2) No. 1 or No. 7 DSG-EKD apply and appropriate measures have been taken to protect your rights and freedoms, and your legitimate interests.

With regard to the cases referred to in (1) and (3) above, the controller shall take reasonable steps to safeguard your rights and freedoms, and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express their point of view, and to contest the decision.

7.10. Right to Object to the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority mentioned below if you consider that the processing of personal data relating to you is in breach of the DSG-EKD.

The Commissioner for Data Protection of the Protestant Church in Germany
Berlin Branch Office
Invalidenstrasse 29
10115 Berlin
Tel. +49 (0)30-2005157-0
Fax. +49 (0)30-200515720
ost@datenschutz.ekd.de

The supervisory authority shall inform you about the status and results of the complaint, including the possibility of a judicial remedy pursuant to § 47 DSG-EKD.

Status: March 2023