Data protection

Responsible party:
DEval
Deutsches Evaluierungsinstitut der Entwicklungszusammenarbeit gGmbH
Fritz-Schäffer-Str. 26
53113 Bonn
T: +49 228-336907-0
datenschutz(at)deval.org

Our Data Protection Officer is:
Andreas Werner c/o Infora GmbH
Friedrichstrasse 200
10117 Berlin
T: +49 (0) 30-893658-58
dsb-deval[at]infora.de

“Personal data” within the meaning of the EU’s General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (new version) means any information relating to an identified or identifiable natural person (“data subject”), such as log data, IP addresses, name, address and date of birth, but also telephone number and e-mail address. When you use the website merely for information purposes, we only collect the personal data automatically transmitted by your browser to our server. If you wish to log into our website, we collect the following data which we require for technical purposes to display the website and ensure its security and stability. This includes:

When using our online offering, further personal information may be collected and processed:

• Personal data (e.g. names, addresses).
• Content data (e.g. entries in online forms).
• Contact data (e.g. email, phone numbers).

The processing may concern the following categories of persons:

• IP address
• date and time of the request
• time zone difference from Greenwich Mean Time (GMT)
• content of the request (specific site)
• Personal data (e.g. names, addresses).
• Content data (e.g. entries in online forms).
• Contact data (e.g. email, phone numbers).
• Personnel (e.g. employees, applicants, former employees).
• Contract and cooperation partners.
• Interested parties.
• Communication partners.
• Users (e.g. website visitors, users of online services).
• access status/HTTP status code
• volume of data transmitted each time
• website from which the request comes
• browser
• operating system and its interface
• language and version of the browser software.

Legal basis for processing

• Consent (Art. 6 Section 1 p. 1 a. GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
   
• Performance of contract and pre-contractual requests (Art. 6 Section 1 p. 1 b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
   
• Legal obligation (Art. 6 Section 1 p. 1 c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
   
• Legitimate interests (Art. 6 Section 1 p. 1 f. GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Transfer of personal data

During the scope of processing personal data, it is possible that we may transfer or disclose the data to other bodies, authorities, legally independent organisational units or persons. The recipients of this data could include service providers commissioned with IT tasks or providers of services and content that is integrated into a website. In such cases, we shall observe all legal specifications and, in particular, conclude with the recipients corresponding contracts or agreements that serve to protect your data.

Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if data processing takes place during the course of utilising third-party services or transferring or disclosing data to other persons, bodies or companies, this shall take place only in compliance with legal provisions.

Conditionally upon the express consent or contractually or legally required transmission, we process data or have data processed only in third countries with a recognised level of protection, contractual obligation through standard protective clauses from the EU Commission, relevant certifications or binding internal data protection regulations.

We store and use information collected during your visit to our websites solely for the purpose of statistical analysis and to improve the design of our website. No personal data or information about your individual usage of the website is collected. IP addresses are logged solely in abbreviated form.

Data that is logged when users access DEval’s internet offering is only transferred to third parties if we are obligated to do so legally or due to a court ruling or if the disclosure is necessary for legal or criminal proceedings in the event of attacks on DEval’s internet infrastructure. Data shall never be transferred for other non-commercial or for commercial purposes.

You may subscribe to our newsletter. This requires your consent: sign-ups to our newsletter are based on a double opt-in. This means that when you first subscribe, we send an e-mail to the e-mail address provided by you. In this e-mail, we ask you to confirm your subscription request. If you do not confirm your subscription, your information is locked and automatically deleted. We also log the IP addresses used by you and the times of subscription and confirmation. This purpose of this procedure is to provide evidence of your subscription and, should it become necessary, to investigate any possible misuse of your personal data.
The only mandatory information required to send out our newsletter is your name and e-mail address. When we receive your confirmation, we store your e-mail address, which we use to distribute the newsletter. The legal basis is Article 6(1)(a) GDPR.

You can withdraw your consent and cancel the newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending an e-mail to datenschutz@deval.org.

You may subscribe to our newsletter. This requires your consent: sign-ups to our newsletter are based on a double opt-in. This means that when you first subscribe, we send an e-mail to the e-mail address provided by you. In this e-mail, we ask you to confirm your subscription request. If you do not confirm your subscription, your information is locked and automatically deleted. We also log the IP addresses used by you and the times of subscription and confirmation. This purpose of this procedure is to provide evidence of your subscription and, should it become necessary, to investigate any possible misuse of your personal data.
The only mandatory information required to send out our newsletter is your name and e-mail address. When we receive your confirmation, we store your e-mail address, which we use to distribute the newsletter. The legal basis is Article 6(1)(a) GDPR.

You can withdraw your consent and cancel the newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending an e-mail to datenschutz[at]deval.org.

We maintain online presences within social networks and process user data within this framework in order to communicate with the users who are active in these networks or share information about ourselves.

We hereby point out that the users’ data may be processed outside the European Union. This may result in risks for users because, for example, it is more difficult to enforce the users’ rights.

Furthermore, user data within social networks is generally used for market research and advertising purposes. Data can also be saved in the usage profiles independently from the user’s device (particularly if users are members of the respective platforms and are logged in there).

For a detailed representation of the various processing forms and opt-out options, please see the individual privacy statements and information from the operators of the respective networks.

Services and service providers used:

• LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: www.linkedin.com; Privacy policy: www.linkedin.com/legal/privacy-policy; Opt-out option: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
   
• Twitter: Social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: twitter.com/de/privacy, (settings) https://twitter.com/personalization.
• Xing: Social network; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; privacy policy (German only): https://privacy.xing.com/de/datenschutzerklaerung

We integrate functional and content elements into our online offering that is obtained from the servers of the respective provider (hereinafter referred to as “third-party provider”). This could, for example, be graphics, videos or maps (hereinafter jointly referred to as “content”).

The integration always requires the third-party providers of this content to process the users’ IP address, as the content cannot be sent to their browsers without an IP address. The IP address is therefore essential for the presentation of this content or these functions. We endeavour to only use content for which the respective provider uses the IP address solely to deliver the content.#

Services and service providers used:

• Google Fonts: We integrate Google Fonts, which results in the users’ data being used solely for the purpose of displaying the fonts in their browsers. We integrate the fonts based on our legitimate interests for technically secure, maintenance-free and efficient use of fonts, their uniform presentation and taking into consideration possible licence-related restrictions to their integration. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; privacy policy: https://policies.google.com/privacy.
   
• LinkedIn plugins and content: LinkedIn plugins and content may include images, videos or text and buttons that users can use to share content from this online offering within LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
   
• YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; opt-out options: opt-out of plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for presentation of advertising overlays: https://adssettings.google.com/authenticated.
   
• Xing plugins and buttons: Xing plugins and buttons may include images, videos or text and buttons that users can use to share content from this online offering within Xing. Service provider: XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany; Website: https://www.xing.com; privacy policy (German only): https://privacy.xing.com/de/datenschutzerklaerung

As a data subject in accordance with the GDPR, you have various rights that arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 Section 1 e or f GDPR; this includes profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
   
• Right to object in cases of consent: You have the right to revoke any consent given at any time.
   
• Right to be informed: You have the right to be informed whether data concerned was processed and to information about this data as well as to further information and copies of the data in accordance with the legal provisions.
   
• Right to rectification: You have the right to have incomplete personal data completed and to the rectification of inaccurate personal data concerning you.
   
• Right to erasure and restriction of processing: You have the right within the legal limits to demand the erasure of data concerning you without undue delay or, alternatively, within the legal limits to restriction of processing of the data.
   
• Right to data portability: If applicable, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to have this data transmitted to another controller within the limits of the law.
   
• Complaint to supervisory authority: In accordance with the legal provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.