Data Protection

Privacy Policy

antwerpes ag, Vogelsanger Str. 66, 50823 Cologne, Germany (in the following called ‘we’ or ‘antwerpes’”) is very serious about protecting your personal data (in the following also called ‘data’). By means of this Privacy Policy we wish to inform you about how and to what extent we collect, process and use data on our webpages under the domains

• https://www.antwerpes.com/de/
• https://www.antwerpes.com/en/

and when you use the services offered on these pages (in the following also called ‘our services’).

Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other regulations and laws referring to data protection law is:

antwerpes ag
Vogelsanger Str. 66
50823 Cologne
Germany
Tel.: +49 (0)221-920530
Email: info@doccheck.com

Represented by the Board:
Thilo Kölzer (CEO)
Michael Vorbrink, Christiane Schrix

Name and address of the Data Protection Officer

The Data Protection Officer of antwerpes ag is:

Tim Halver
DocCheck AG
Vogelsanger Str. 66
50823 Cologne
Germany
Tel.: +49 (0)221-920530
Email: datenschutz@doccheck.com

For all questions related with data protection you are welcome to contact our Data Protection Officer.

1. What are personal data?

Data protection refers to the protection of personal data. Article 4 (1) GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In addition, data protection law distinguishes some special categories of personal data. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9 (1) GDPR).

Data concerning health mean personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about a person’s health status (Article 4 (15) GDPR).

2. How do we collect and process such data?

When you use our services, data may be collected, processed and retained in different manners. It can be done either directly by our system, by a company mandated by us and bound by our instructions, or by a third party (please refer to point 3ff.) Important tools for online data processing involve technologies like cookies and HTML5 web storage that are able to temporarily store or access information on your end device. Therefore we would like to explain these technologies:

Cookies and HTML5 web storage

Technologies called cookies and HTML5 web storage are small text files that are placed and stored on your end device. The purpose of cookies and HTML5 web storage is to retain some information beyond the current session, that is, even after you close the window or leave the website. When visiting the website again, your browser will access the information stored on your device and transfer it to the server of the website. Subsequently, the operator of the website can read this information.

There are different areas of application for cookies and HTML5 web storage technology:

Session cookies and session storage

On the one hand, cookies and web storage are used to temporarily store information, containing e.g. log-in information or user settings or entries that have already been made and/or identifiers (called ‘session objects’ in the following).

Such session objects include data like e.g. a unique identifier (also called ‘session ID’ as a pseudonym) that assigns different requests of your browser to one session and helps recognise your end device on different subpages of the website. Such an assignment is also possible when you return to the website during an ongoing session, e.g. after having accessed another webpage in the meantime.

For one, the use of session objects is necessary so you do not lose the entries made in interrelated input masks and to restore your entries in any case of trouble (e.g. when the connection to the website is briefly interrupted while you request a subsequent input mask) and to be able to correct an earlier entry also by clicking on the ‘Go Back’ button of your browser. Yet session objects may also be necessary for a variety of other features, like the function to log in to a user system. In this regard, their use is in line with the recognised technical and organisational measures implemented to prevent unauthorised third-party access to your data.

Because of their ability to assign different requests of your browser to a single session, session objects can be used, in principle, to track your browsing behaviour on a website or to deliver targeted advertising and to make sure e.g. that you do not click on ad banners repeatedly, with intention to defraud.

Preference cookies and local storage

Cookies and web storage technology are also meant to save your preferred settings for a website and to assist you in finding the desired information regarding the services on offer (called ‘preference objects’ in the following). Without the use of such preference objects some features would not be available at all or with significant restrictions only.

Unlike session objects, preference objects are not able to assign several browser requests to a specific session. In particular, when you return to a website at a later stage, they do not allow recognition because they contain only setting parameters.

Use of session and preference objects when using our services

As described above, session and preference objects can serve a wide variety of purposes. Where we specify the individual data processing purposes (under point 3), you find the explanation for what purpose we use each sort of technology. There we will also inform you whether session or preference objects are used for the specific processing purpose.

Disabling and deleting cookies and web storage objects

Most web browsers have a menu option ‘Help’ where you find information how to technically disable cookies and web storage objects and what settings you can use to be informed by your browser about the placing of a new cookie or web storage object. Please bear in mind that some functions of our website may not be available when you disable cookies and web storage objects.

3. What data do we collect for what purpose, and what happens to your data?

3.1. Data that we process when you visit our website

3.1.1. Operation of the website

Whenever you browse our website, even when you visit our website without logging in and/or using specific services, the following data are collected and processed without tracing you back:

Directly by us:

• The website visited previously by you (also called referrer URL);
• The pages of our website that you request;
• The date and time of accessing our website;
• The internet protocol (IP) address of the device used;
• The type of device used for browsing our website (e.g. PC, mobile phone, etc.);
• The browser and the operating system used to access our website, including the specific version and language settings.

Data that we obtain from our provider, CANCOM Pironet AG & Co. KG, Obenhaupt­straße 12, 22335 Hamburg, Germany:

• Other similar data and information aimed at averting hazard caused by attacks on our IT systems.

This information is needed to:

• Correctly deliver the content of our website;
• Optimise the content of our website and advertising, like adjusting the content for viewing it on a mobile device;
• Ensure the long-term functionality of our IT systems and the technology of our website; and
• Provide prosecution authorities with information required for law enforcement in the case of a cyberattack.

The collected data are anonymised by us after the specific web session is completed. In the following, they are analysed for statistical purposes and with the aim of enhancing data protection and data security in our company, so we can ensure an optimum level of protection for the personal data that we process. In this regard the processing of your data is justified by our legitimate interests and is based on Article 6 (1) (f) GDPR.

3.1.2. Optimising the display and expanding the functions of our website

Of course, we want to offer you a unique user experience and seek to provide our services swiftly and optimise them for display on your specific end device. We also wish to offer multimedia services and integrate further content.

For these purposes we use the tools, mentioned under this point 3.1.2 for optimising the display of content and expanding the functions of our website. In this regard the data processing is justified by our legitimate interests, as explained above, and is based on Article 6 (1) (f) GDPR.

For details about the specific data processing operations please refer to the following passages. Where nothing else is mentioned, the described processing operations are carried out by service providers mandated by us and bound by our instructions on the basis of a designated processing agreement (Article 28ff. GDPR):

Google Hosted Libraries, Google Fonts, Google Maps and YouTube

We use Google Hosted Libraries, Google Fonts, Google Maps and YouTube (in this section summarised as ‘Google Services’) operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (called ‘Google’ in the following). Google Services make it possible to integrate and offer further functions on our website, like dynamic content and animations, and to display fonts not installed on your end device, plus multimedia content like maps and videos. Where necessary Google uses some of the session objects mentioned under point 2 to be able to show the specific content and prevent an abuse of Google Services.

Data processing via Google Services covers the following data:

• IP address
• Device, operating system/browser

For this sort of data processing the information is transferred to a server of Google in the United States and is processed and stored there. Google is Privacy Shield-certified and has made a commitment to comply with the EU-US Privacy Shield principles, published by the US Department of Commerce, with regard to the collection, use and retention of personal data from EU member States.

In addition to disabling session objects, as described in point 2, you have the option to prevent data processing by Google Services by activating the ‘Do not Track’ setting in your browser.

For further information about data processing by Google, please read Google’s privacy policy which is available here: https://policies.google.com/?hl=en&gl=en. Here you find additional information by Google on data protection issues: https://support.google.com/analytics/answer/6004245?hl=en.

CloudFlare

To protect our services against cyberattacks and issues with accessibility and to optimise page load speeds for our services we use what is called the CloudFlare Content Delivery Network (CDN) of CloudFlare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA (in the following called ‘CloudFlare’).

Data processing by CloudFlare covers the full data traffic regarding our services, including in particular the following data:

• IP address
• Device, operating system/browser

As a rule, the data are erased within 4 hours, at the latest after 3 days. However, a longer retention is possible in the cases mentioned under point 5.

For this sort of data processing the information is transferred to a server of CloudFlare in the United States and other non EU-countries and is processed and retained there. CloudFlare is Privacy Shield-certified and has made a commitment to comply with the EU-US Privacy Shield principles, published by the US Department of Commerce, with regard to the collection, use and retention of personal data from EU member States. Moreover, as our data processor, CloudFlare has also given us guarantees with regard to the technical and organisational measures implemented to protect the data, even for data processing in third countries.

For further information about data processing by CloudFlare, please read CloudFlare’s privacy policy which is available here: https://www.cloudflare.com/security-policy. Here you find additional information by CloudFlare on data protection issues: https://blog.cloudflare.com/what-cloudflare-logs/.

3.1.3. Internet audience measurement and use analysis

Of course, it is our wish to tailor our services to your needs and offer you a superior user experience. Therefore we continuously check the functionality of our services and seek to correct functions recognised as flawed or not user-friendly. Another of our concerns is to know whether and to what extent our services reach the target groups identified by us. For these purposes it is necessary to understand where, how and to what extent our services are used.

To obtain this information we use the tools mentioned under point 3.1.3 for internet audience measurement and use analysis. In this regard the data processing is justified by our legitimate interests and is therefore based on Article 6 (1) (f) GDPR.

For details about the specific data processing operations please refer to the following passages. Where nothing else is mentioned, the described processing operations are carried out by service providers mandated by us and bound by our instructions on the basis of a designated processing agreement (Article 28ff. GDPR):

Google Analytics

We use the web analysis service Google Analytics operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (in the following called ‘Google’) that creates pseudonymised user profiles by using session objects as described under point 2. This enables us to collect information about the clicking and browsing behaviour of our visitors.

Data processing via Google Analytics covers the following data:

• IP address and geolocation based on the IP address
• Device, operating system/browser
• Scrolling and clicking behaviour

For this sort of data processing the information is transferred to a server of Google in the United States and is processed and retained there. Google is Privacy Shield-certified and has made a commitment to comply with the EU-US Privacy Shield principles, published by the US Department of Commerce, with regard to the collection, use and retention of personal data from EU member States.

In addition to the options described under point 2 of disabling session options, you can prevent data processing via Google Analytics by installing a browser add-on made available by Google here: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

For further information about data processing by Google, please read Google’s privacy policy which is available here: https://policies.google.com/?hl=en&gl=en/. Here you find additional information by Google on data protection issues: https://support.google.com/analytics/answer/6004245?hl=en.

3.2. Data that we process when you contact us

When you contact us via the channels offered on our website, in particular by using the contact form or the email addresses and fax numbers displayed, we process the date and hour of your request plus any information that you choose to let us know. This refers e.g. to your form of address, (academic) title, name, (mobile) phone number, email address and any other information provided on a voluntary basis. These data will be used to handle your contact enquiry. In this regard the processing of your data is justified by your request and is based on Article 6 (1) (b) GDPR. As far as the additional data are concerned that you supply us on a voluntary basis, data processing is justified by your consent and is therefore based on Article 6 (1) (a) GDPR.

When you use our contact form, your internet protocol (IP) address is also retained. The retention is necessary to ensure the availability of our services and to prevent the possibility of abuse. Where necessary, the information may be used to help investigate crimes and enforce private third-party claims. Against this backdrop we retain your IP address for security reasons. In principle, these data are not provided to third parties unless there is a legal obligation to disclose them or if the disclosure is for the purpose of criminal prosecution. The legal basis for processing such data is Article 6 (1) (f) GDPR.

When an enquiry is sent while you use our services and/or in the context of our contractual relationship, including the steps prior to entering into a contract, the data provided in your request are collected and retained for the duration of our contractual relationship. In any other case the retention will last, in principle, as long as this is required for answering your enquiry. However, a longer retention is possible in the cases mentioned under point 5.

4. How do we handle your data?

As we process the data, we seek to achieve the highest possible protection level for every specific purpose of use. Although absolute protection cannot be guaranteed, we have taken precautions to protect your data.

So we always transfer your data in an encrypted mode. For this purpose we use the SSL (Secure Socket Layer) coding system to prevent third parties from intercepting the data flow and viewing your message in plain text. The use of the SSL coding system is indicated by the ‘https://’ in the address bar of your browser and, in addition, common browsers will show a ‘lock’ sign in the address bar. This means, you can be sure that your data are transferred securely to us.

5. How long do we retain your data?

We process and retain personal data for the time required to achieve the intended purpose (see point 3).

We delete the data once the purpose for which the personal data have been made available to us is achieved or if it is your wish that your personal data are erased, unless we are legally entitled to keep them (e.g. for evidence purposes in the context of handling our contractual relationship) or have an obligation to retain them (e.g. for tax purposes). Such retention periods may be longer than the periods originally required for a specific purpose (standard retention period). When it comes to the retention of billing documents e.g., we are obliged to store them for a period of 10 years (pursuant to section 147 (3) of the German Fiscal Code (‘Abgabenordnung’)).

Once the original purpose of use has been achieved or ceases to exist we will no longer use the personal data for further processing. As soon as the entitlement lapses and/or the legal retention obligation expires, we permanently delete the data.

6. Do we do supply your personal data to third parties?

We may supply the data to one or more persons or companies respectively that process data for us, the data controllers, in the contexts described above (so-called data processors).

Currently, we have mandated the following persons or companies respectively with the processing of data (data processing pursuant to Article 28 GDPR):

• CANCOM Pironet AG & Co. KG (host provider, see point 3.1.1.)
• Google LLC (see point 3.1.2.)
• CloudFlare, Inc (see point 3.1.2.)
• DocCheck AG (parent company and hoster)

These data processors process your data with the required diligence. They are subject to our control and depend on our instructions. Thus it is ensured that your rights are always safeguarded as the data are processed, in particular the rights explained under point 7 below.

Your data are not disclosed to third parties for any other purposes.

7. What rights do you have?

With regard to the use of your data you have the rights set out in the following. You may exercise these rights in respect of us as the controller. In this context you are welcome to turn directly to our Data Protection Officer.

7.1. Right of access

At any time you have the right to obtain information from us, free of charge, about the personal data retained about your person and to be given a copy of this information. Moreover, you have the right to access the following information:

• The purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• The existence of the right to request from the controller rectification or erasure of the personal data or restriction of processing of personal data concerning you or to object to such processing;
• The right to lodge a complaint with a supervisory authority;
• Where the personal data are not collected from the data subject, any available information as to their source;
• The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Moreover, you have a right to be informed where personal data are tranferred to a third country or an international organisation. Where this is the case, you also have the right to be informed about the appropriate safeguards relating to the transfer.

If you want to exercise this right of access, you may turn to our Data Protection Officer or any other of our employees at any time.

Your right of access is mainly based on Art 15 GDPR.

7.2. Right to rectification of inaccurate and completion of incomplete data

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Furthermore, taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If you want to exercise this right to rectification, you can turn to our Data Protection Officer or any other of our employees at any time.

Your right to rectification of inaccurate and completion of incomplete data is based on Article 16 GDPR.

7.3. Right to erasure (Right to be forgotten)

You have the right to obtain from us the erasure of the personal data concerning you without undue delay where one of the following grounds applies:

• The personal data were collected for such purposes or otherwise processed for which they are no longer necessary.
• You withdraw your consent on which the processing is based according to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR and there is no other legal ground for the processing;
• You object to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR;
• The personal data have been unlawfully processed;
• We are obliged to erase your personal data for compliance with a legal obligation in Union or member State law;
• The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

Where one of the above grounds applies and you want to obtain the erasure of the personal data stored by us, you can turn to our Data Protection Officer or any other of our employees at any time. Our Data Protection Officer or our employee will make sure that your request for erasure is fulfilled without undue delay.

Your right to erasure of data is based on Art 17 GDPR.

7.4. Right to restriction of processing

You have the right to obtain from us restriction of processing where one of the following grounds applies:

• The accuracy of the personal data is contested by you, and specifically for a period enabling us to verify the accuracy of the personal data
• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
• We no longer need the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims;
• You have objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of our company override your interests.

Where one of the above grounds applies and you want to obtain the restriction of processing of personal data stored by us, you can turn to our Data Protection Officer or any other of our employees at any time. Our Data Protection Officer or another employee will arrange for the restriction of processing.

Your right to restriction of processing is based on Art 18 GDPR.

7.5. Right to data portability

You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used and machine-readable format. This includes and you have the right to transmit those data to another controller without hindrance from us, where (i) the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR, and (ii) the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Moreover, in exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to the other where this is technically feasible and where this does not adversely affect the rights and freedoms of others.

Your right to data portability is based on Art 20 GDPR.

7.6. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions.

In case you object, we no longer process the personal data concerning you, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purposes of establishing, exercising or defending legal claims.

Where we process personal data for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, you also have the right, on grounds relating to your personal situation, to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise your right to object you may turn to our Data Protection Officer or any other of our employees. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may also exercise your right to object by automated means using technical specifications.

Your right to object is based on Art 21 GDPR.

7.7. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into, or performance of, a contract between you and us, or is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent.

Where the decision is necessary for entering into, or performance of, a contract between you and us or is based on your explicit consent, we implement suitable measures to safeguard your rights and freedoms and legitimate interests, yet at least the right to obtain human intervention on part of our company, to express your point of view and to contest the decision.

If you want to exercise your rights related with automated-decision making, you can turn to our Data Protection Officer or any other of our employees at any time.

These rights are based on Art 22 GDPR.

7.8. Right to withdraw declaration of consent under data protection law

You have the right at any time to withdraw your consent, in whole or in part, to processing of personal data.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

If you want to exercise your right to withdraw consent, you can turn to our Data Protection Officer or any other of our employees at any time. You find the contact data above in this Privacy Policy.

Your right to withdraw consent given under data protection law is based on Article 7 (3) GDPR.

7.9. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the supervisory authority. This right is based on Art 56 (2) GDPR.

8. Amendment to this Privacy Policy

The use of collected data is always subject to the privacy policy in force at the time of collecting the data.

We reserve the right to amend this Privacy Policy to take into account changes with regard to the factual and legal situation. In this case we will publish the new and updated version of the privacy policy on our website. When the occasion arises, we shall use appropriate measures to draw the attention to the amendment to our privacy policy. This shall be applicable in particular where we plan to use data, already collected at a given time, for other than the originally stated purposes.

Where the use of your personal data is based on your consent, we shall only use your data within the scope to which you gave consent, irrespective of an amendment to this Privacy Policy at a later stage. If required, in such a case, we shall ask for renewed consent specifying the data use that we have in mind.