Data Protection Policy

Version 2.3 of 13 January 2023

The protection of your personal data is very important to us. In accordance with the relevant data protection regulations we inform you in the following about the collection, processing and use of your data in the context of our

Website
Newsletter
Donations
Online Campaign Signatures
Events
Job applications
Data subject rights

Website

Within the use of the website www.algorithmwatch.org, we - AW AlgorithmWatch gGmbH – as the data controller (hereinafter also referred to as “we” or “us”), collect and store the data you provided as long and so far this is necessary to fulfil the specified purposes and legal obligations. In the following, we will inform you about what data is involved, how the data is processed and what rights you have, especially in regard of the General Data Protection Regulation (EU) 2016/679 (GDPR).

Collection and processing of personal data and their purposes

Webhosting

For the provision of this website, we use the web hosting service manitu GmbH, Welvertstraße 2, 66606 St. Wendel, Germany. (hereinafter “Manitu”).

The offer if the website requires the commissioning of a webhost service.

The legal foundation for utilization of wservices is Art. 6 Subs. 1 Sentence 1 lit. f GDPR due to our legitimate economic interest to make our offer available on this website. In connection with the hosting wservices collects data in our behalf, which accrues while the use of the website.

We have concluded a data processing agreement with web hosting wservices. Through this agreement the service provider ensures, that he processes the data in accordance with the General Data Protection Regulation and ensures the protection of the data subject rights.

When visiting the website

You can access the website www.algorithmwatch.org without disclosing your identity. The browser on your end device automatically sends information to our website server (e.g. IP address of the querying computer, date and time of the access, name and URL of the accessed file, browser type and version and also further information sent by the browser (such as your computer’s operating system, the name of your access provider, geographical origin, etc.).

This information, which also includes your ip-address, is temporarily stored in a log file. The following information is collected without any action on your part and deleted automatically after 1 month.

We process these data to ensure trouble-free connection to the website, comfortable use of our website, for evaluating system security and stability and also for further administrative purposes.

The legal foundation for the data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest follows from the above purposes for the data collection.

Under no circumstances do we use the collected data for the purpose of drawing conclusions about your person.

Improvement of our offering using visit statistics

To improve our online services, we occasionally evaluate how the site is used.

For this purpose, we create visitor statistics by using the web analytics software Matomo (formerly Piwik). In doing so we don’t collect personal data.

Matomo saves two anonymized identification numbers in your browser (HTTP cookies), in order to differentiate between the different website users. In this context your IP address is used for the analysis, while being shortened in a manner that makes it impossible to link it to you.

You have two options, should you not agree to us using your visits of our website in order to create these statistics:

You can block and delete the cookies which are used by our website using your browser settings;
You can disable javascript on our website.

Comment function and spam protection

If you choose to use the comment function at the end of articles, we will collect the data on the commenting users name or used nickname, the email address, the website if applicable as well as the IP address. This data is stored with the comment. The processing of data in the course of publishing online comments and user reactions is justified because it is in our legitimate interest to partake in an opinion and information exchange pursuant to Article 6 (1) lit. f GDPR. To prevent the misuse of this function we use the plug-in Aksimet which is used to detect comments containing spam.

Youtube

With consent pursuant to the first sentence of Article 6 (1) lit f) GDPR, we use components (videos) of YouTube, LLC, 901 Cherry Avenue, 94066 San Bruno, CA (USA) (hereinafter referred to as ‘YouTube’), a company of Google Inc., Amphitheatre Parkway, 94043 Mountain View (USA), (hereinafter referred to as ‘Google’).

We use the ‘extended data protection mode’ option provided by YouTube.

Upon requesting an Internet page with embedded video, our website connects to the YouTube servers and renders the content on the Internet page using your browser.

According to the information provided by YouTube, in the ‘extended data protection mode’, your data will be transferred to the US YouTube servers only while you watch the video. The transferred data include the Internet page you just viewed and device-specific data including your IP address. By clicking ‘run’ on the video you agree to this transfer.

Should you be logged into your YouTube account at the same time, YouTube will associate these collected data with your member account. You may prevent this by logging out of your YouTube account prior to visiting our website.

Google complies with the data protection regulation of the US Privacy Shield and is registered with the US Privacy Shield Program of the US Department of Commerce.

You may find further information on data protection in context with YouTube in Google’s Data Protection Regulations: https://www.google.de/intl/de/policies/privacy/

Data security

All the data you personally transfer will be sent encrypted with the customary and secure TLS standard (Transport Layer Security). TLS is a secure and proven standard, which is also used for online banking, for example. You can recognize a secure TLS connection inter alia by the "s" appended to the http (i.e. https://..) in the ad-dress bar of your browser or by the lock symbol at the bottom of your browser.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continually monitored and improved to reflect technological developments.

Data subject rights

Please see below.

AlgorithmWatch offers several newsletters that users can subscribe to: The bi-weekly newsletter on automated decision-making systems, the AlgorithmWatch Community Newsletter and the Digital Autonomy Hub Newsletter, which can be found on its website.

For all subscribers to these newsletters, the following privacy policy applies.

With your subscription of the newsletter, we store your e-mail address, IP address, the date of registration, and, if provided, your first and last name, as well as your organization. For the registration process, we use the so-called Double-Opt-In procedure in order to prevent fraud by using a confirmation e-mail, thereby making sure that you really want to be contacted by us.

We analyse your use of the newsletter for purposes of the design of future newsletters as well as for personalisation and personalized targeting purposes. In particular, we use link and opening tracking. However, other techniques may also be used that either store information on your end device or access information stored on it in connection with the analysis. Finally, we may also use information from our other projects - e.g. DataSkop - for personalisation purposes, in which case we will inform you separately.

We store your personal data until you withdraw your consent to receive the newsletter or object to the processing.

We use the service Mailjet provided by Mailgun Technologies, Inc. (Mailgun) for emailing and contact management services. If you subscribe to a newsletter, your data is processed on Mailgun's servers based on our instructions (Art. 28 DSGVO). Insofar as data is processed by Mailgun or Mailgun's subprocessors outside the EU/EEA and there is no adequate level of data protection corresponding to the EU standard, we have also concluded standard contractual clauses (available at: https://www.mailjet.com/legal/dpa/) of the European Union as appropriate guarantees and to establish an appropriate level of data protection with Mailgun.

The legal ground for the collection and processing of this data is Article 6.1 (a) GDPR and, insofar as information is stored or accessed on your terminal device for analysis purposes, additionally on the basis of Sec. 25 para. 2 no. 2 TTDSG. Your data is being solely used for the distribution of the newsletters and only based on what you have given consent to. The date of your registration is collected exclusively for documenting your registration to the newsletter. Insofar as you were already a subscriber prior to the introduction of personalisation, the legal basis for this is Article 6.1 (f) GDPR, whereby our legitimate interest lies in the purpose of the processing. Subscribers can subscribe or unsubscribe themselves, without any intervention from AlgorithmWatch, at any time via the “unsubscribe“ link in each newsletter, or via e-mail to newsletter@algorithmwatch.org. By unsubscribing, they withdraw their consent or object to any of the processing mentioned above.

Participation in surveys

We occasionally conduct surveys on our website. If you participate in a survey, we process the data you provide on the basis of our legitimate interests in conducting the survey and analysing the results accordingly (Art. 6 (1) (f) GDPR). The survey is analysed anonymously, i.e. no personal data is stored permanently.

If you, as part of the survey, voluntarily provide us with your email address, we will process your data so that we can keep you informed about the survey and the results. We will also inform you by email about projects, events or other news related to the survey.

We analyse your use of the newsletter in order to design it according to your needs and to be able to target and personalise it for specific audiences. In particular, we use link tracking and opening tracking. However, other technologies may also be used that either store information on your end device or access information stored on it in connection with the analysis. We use the Mailjet programme from Mailgun Technologies, Inc. (Mailgun) to send and create the newsletter and to manage subscriptions.

If you subscribe to our newsletter, Mailgun will act as processor of the aforementioned data (Art. 28 GDPR). Insofar as data is processed by Mailgun or Mailgun's processors outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have also concluded the valid standard contractual clauses (available at: https://www.mailjet.com/legal/dpa/) of the European Union as suitable guarantees and to establish an appropriate level of data protection with Mailgun as part of our processing agreement.

The processing is carried out on the basis of your consent in accordance with Art. 6 para. 1 lit. a) GDPR and - insofar as information is stored or accessed on your end device for analysis purposes - additionally on the basis of § 25 para. 2 no. 2 TTDSG. We collect the date of registration in order to document the registration for the newsletter.

You can revoke your consent to the processing of your personal data and its use for sending, analysing and personalising the newsletter at any time. The cancellation or objection can be made via an "unsubscribe" link in each newsletter itself, or by email to us.

Your data will be processed for this purpose until either the survey and all activities associated with the project are completed or you withdraw your consent.

Donations

You can support AlgorithmWatch by donating via direct bank transfer or via the donation widget on the website. To do this, you need to provide standart personal data.

When using the donation widget, data is transmitted to a service provider exclusively for the purpose of processing the donation. We’re using the donation widget by twingle GmbH, Prinzenallee 74, 13357 Berlin, who we have commited to a data processing agreement in accordance with the GDPR. twingle GmbH provides the technical platform for the donation process through this widget. The data you enter when making a donation (e.g. address, bank details, etc.) are stored by twingle on servers in Germany solely for the purpose of processing the donation.

In order to issue and send donation receipts, name, e-mail address, address, account information such as IBAN and name of the bank, the total amount, the date, and the type of donation are stored. We use the data exclusively to issue the donation receipt. If an unsolicited donation receipt is desired in subsequent years, the data will continue to be stored for this purpose.

According to §147 of the German Fiscal Code (Abgabenordnung), AlgorithmWatch is obliged to keep accounting records for ten years (after the end of the calendar year in which the last donation was made). For this purpose, we store account statements that contain the sender as well as the amount and date of donation transfers. The accounting data is deleted as soon as the statutory term of ten years has been reached.

It is not possible to object to the storage of accounting data for the purpose of fulfilling the obligation to keep records in accordance with §147 of the German Fiscal Code (Abgabenordnung).

Consent to data processing for the purpose of donation certification and donation processing via twingle can be revoked at any time. A revocation has no effect on the validity of data processing procedures in the past.

Signature Collection via the Open Petition Widget

This website uses the petitions' form of openPetition gGmbH, Greifswalder Str. 4, 10405 Berlin. openPetition gGmbH provides a technical platform for the collection of petitions' signatures. In order to guarantee for the validity of the petition, your personal data when signing the petition (e.g. name, address, comments) will be saved on German servers and processed by openPetition. With every page view of the petition, browser information (e.g. type of browser, operating system, IP-address, time and referrer) will be saved and processed. Logfiles will be statistically evaluated and help maintaining a fault-free operation of the websites. The data protection regulations of openPetition apply.

Signature collection via "ECI signing widget"

The widget is used to allow interested parties to sign the European Citizens' Initiative (ECI) directly on our website. The widget is currently embedded on the following pages of this website: Reclaim Your Face – A European Citizens Initiative to ban biometric mass surveillance

For ECI “signatories” (people officially signing the ECI via the first step of the widget):

For ECI signatories, the widget will collect: your full first and last names, country of residence and date of signature. Depending on your nationality, the widget will also collect a combination of the following data: residence (street, number, postal code, city, country), date of birth, national identity document type and national identity document number.¹
The data controller will be Mr Diego Naranjo, Head of Policy at EDRi. EDRi will have no access to this signatory data. National signature verification authorities will be the only entity with access to the corresponding signatory data for their country. The full list of authorities is available here: https://europa.eu/citizens-initiative/authorities-verification-and-certification-statements-support_en . At the end of the collection period, Mr Naranjo shall have temporary access to the signatory data in order to send them to the national authorities via the European Commission’s secure file transfer system. He will have no access to the data after this point.
Upon submission to the European Commission of the signatures, Mr Naranjo and the European Commission become joint controllers of the signatures. This means that you exercise your rights through contacting either of them.
We process your data to submit the signatures to the European Commission (legal obligation), based on your consent.
We keep your data maximum one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings.

For staying informed about the campaign and other related digital rights issues (supporters), we will collect: your first name and email address. Optionally, you may also provide your last name, country, and a statement of support (“Comment”).
The data processor shall be the organisation you provide your consent to keep you updated (this will be either (1) EDRi, (2) AlgorithmWatch or (3) both).
We process your data to keep you updated on ECI news and relevant campaigns (based on your consent).
For information on data protection in relation to a subscription of to the AlgorithmWatch newsletter, please read the relevant section of this Privacy Policy.

1 Note I: if you would like to specify what this will be for a particular country, you can find the full list here: https://europa.eu/citizens-initiative/data-requirements_en
Note II: as we are using our own signature collection system, there will not be any option for anyone from any country to sign with their eID.

Events

By registering online to attend an event of AlgorithmWatch, you consent to the collection, retention and use of your personal information in accordance with the terms of this policy.

Processing of your data

When you register for an event, we require certain data from you, depending on the type of event. The invitation or registration form indicates which information is required and which is voluntary. Your data will not be passed on to third parties, except service operators listed below. Any exceptions (e.g. at cooperation events with partners) will be clearly communicated during the registration.

We may use your personal data only for the following purposes:

for the organisation, realisation and processing of the event,
(if applicable) to network the participants of the event by issuing name tags and displaying lists of participants if necessary: on your name tag we only list your name; on the list of participants your name, your function and your institution, unless you object to this,
to prove that we may process your data, in particular send you information by e-mail,
to fulfil our statutory, fiscal and budgetary obligations and interests including controlling, the fight against fraud and corruption and the documentation of our activities; in particular if the event includes catering or in case you receive refunds, we must store your registration and, if applicable, invoice and payment data,
only if expressly pointed out, also for the documentation of the event by photo and film recordings, which can also be used for public relations work of AW.
Depending to the security requirements of the event (e.g. by the cooperation partner or event location), you must present a valid photo ID for admission to the events. It is used for comparison with the ID indicated in the registration process and/or the participant list. Data for potential and explicitly communicated identity checks is not stored by AW, but forwarded to the respective cooperation partner or event location after the registration deadline. The data is deleted from AW documentation immediately on the day of the event.

Your data will not be used by us for automated decision-making or for profiling within the meaning of Art. 22 GDPR.

Access to your data at AW is limited to

Our conference management team and the persons entrusted with the organization, execution and handling of the event;
Our communication and PR team for the relevant tasks
(If applicable) for the purpose of networking, your name, and if applicable and necessary function and institution are also accessible to other participants.
Photographs and films, which are published or otherwise processed for documentation or public relations purposes, may be accessible to anyone. In individual cases, we may use an order processor who uses your data exclusively for these purposes on our behalf for certain activities. The latter is strictly bound by our instructions and may not process or pass on the data for own purposes.

Voluntary disclosure of your data

The provision of your personal data is not mandatory and we try to strictly limit the processing of your personal information. However, we cannot accept your registration without stating the data indicated as required in the registration form of the respective event. If you do not provide us or our cooperation partner with proof of your identity at the entrance if requested, you will not be able to enter the event.

If you have any questions or comments, please contact events@algorithmwatch.org.

Data subject rights

Please see below.

Job and fellowship applications

Thank you for your interest in our job vacancies. The protection of your personal application data is very important to us. Therefore we inform you in the following about the collection, processing and use of your data in the context of the email application, in accordance with the relevant data protection regulations.

Data collection

In the context of your email application, we will collect and process the personal application data listed below:

Name, first name
Address
telephone number
email
Application documents (letter of motivation, curriculum vitae, certificates etc.)

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily disclosed in the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data or ethnic background).

Purpose of data collection / dissemination

The collection and processing of your personal application data is carried out exclusively for the purpose of filling positions within our organisation.

As a matter of principle, your data will only be forwarded to the employees* of our organisation responsible for the specific application procedure. Your application data will not be used or passed on to third parties beyond this.

Retention period of application data

Your personal application data will be deleted automatically six months after completion of the application process, except in the case of a justified revocation, so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act.

Storage for future job advertisements

If we are unable to offer you a position that is currently vacant, but believe, on the basis of your profile, that your application may be of interest for future openings, we will store your personal application data in our talent pool for a period of twenty-four months, provided that you expressly consent to such storage and use.

Data subject rights

Please see below.

Data subject rights

You have the right:

pursuant to Art. 15 GDPR to demand information about your personal data we process. In particular, you can demand information about
- the purposes of the processing,
- the category of the personal data,
- the categories of recipients to whom your data were or will be disclosed,
- the planned storage period,
- the existence of a right to rectification, deletion, restriction or revocation of processing,
- the existence a right to lodge a complaint,
- the origin of your data, in so far as not collected by us,
- and also about the existence of automated decision-making including profiling and where appropriate meaningful information about to details thereof;
pursuant to Art. 16 GDPR to demand immediate rectification of inaccurate or completion of your personal data saved with us;
pursuant to Art. 17 GDPR to demand deletion of your personal data saved with us, in so far as the processing is not required for exercising the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to establish, exercise or defend legal claims;
pursuant to Art. 18 GDPR to demand restriction of processing of your personal data, in so far as you contest the accuracy of the data, the processing is unlawful but you oppose deletion and we no longer need the data but you do to establish, exercise or defend legal claims or you have objected to processing pursuant to Art. 21 GDPR;
pursuant to Art. 20 GDPR to receive your personal data you have provided us in a structured, commonly used and machine-readable format or to demand transmission to another controller;
pursuant to Art. 7 Subs. 3 GDPR to withdraw your consent to us at any time. This means that we may no longer continue processing the data based on that consent for the future and
pursuant to Art. 77 GDPR to lodge a complaint to a supervisory authority. As a rule, you can contact the supervisory authority for your habitual residence or place of work or our registered offices.

If you want to exercise your data subject rights, simply send an email to privacy(at)algorithmwatch.org

Right to object

You have the right, pursuant to Art. 21 GDPR, to object to the processing of your personal data, insofar as there are grounds arising from your particular situation or it relates to objection to direct advertising. In the latter case, you have a general right to object which we shall heed without the stating of a particular situation.

Data controller

Postal address of the data controller:

AW AlgorithmWatch gGmbH
Linienstraße 13
10178 Berlin
Germany
If you want to exercise your right to object, simply send an email to privacy(at)algorithmwatch.org

Corrections

AlgorithmWatch will endeavour to keep your personal information accurate. If you require access to personal information we hold on you, wish to amend an inaccuracy, or have your information deleted from our files then please contact privacy(at)algorithmwatch.org.

Actuality and changes to this Data Protection Policy

This data protection policy is the latest version and amended as of 15 March 2019.

The further development of our website and online services or changes in statutory or public-authority requirements may render it necessary to amend this Data Protection Policy. The latest version of Data Protection Policy can be downloaded and printed out at any time from the website under https://algorithmwatch.org/en/privacy/