This notice discloses the privacy practices for the SCARLET project at https://scarlet-project.eu and applies solely to information collected by this website. In the following sections, you will be notified about:

1. What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
2. The security procedures in place to protect the misuse of your information.
3. How you can correct any inaccuracies in the information.

We take the protection of personal data very seriously, and are bound to protect the privacy of everyone who uses this website and to treat any personal data provided in the strictest confidence. This data is used solely for the purposes indicated in each case and is not forwarded to any third party.

I. Definitions

SCARLET’S data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our stakeholders. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

a) Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject

Data subject is any identified or identifiable natural person, whose personal data is processed by the responsible controller responsible.

c) Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller or controller responsible for the processing

Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

j) Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent

Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

II. Name and address of controller

The data controller as defined in the General Data Protection Regulation, the national data protection laws of other EU member states, and other data protection regulations is:

Helmholtz Centre Potsdam – German Research Centre for Geosciences GFZ
Telegrafenberg
14473 Potsdam
Germnay
Phone: +49 331 288 0
Website: https://www.gfz-potsdam.de

III. Name and address of data protection officer

The controller’s data protection officer is:

Marko Blau
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 1052
Email: datenschutzbeauftragter(at)gfz-potsdam.de

IV. General information on data processing

1. Scope of personal data processing

In general, the GFZ only processes personal data collected from users insofar as this is necessary to provide a functional website with the relevant content and services. As a rule, personal data provided by users is only processed with the respective user’s consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.

2. Legal basis for the processing of personal data

Art. 6 no. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis when the GFZ obtains a data subject’s consent to the processing of his/her personal data.

Art. 6 no. 1 lit. b GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.

Art. 6 no. 1 lit. c GDPR serves as the legal basis when the processing of personal data is necessary for compliance with a legal obligation to which the GFZ is subject.

Art. 6 no. 1 lit. f GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the GFZ or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.

3. Data erasure and storage period

The data subject’s personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a retention period specified in any of the above-named legislation expires, unless it has to be retained for longer in order to conclude or execute a contract.

V. Provision of website and generation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the accessing computer system.

The following information is stored in the web server’s log files:

• the client’s IP address
• the user’s ID, if the request requires the user to register
• the date and time of the request
• the client’s specific request, including the HTTP method, HTTP protocol version, and the path of the resource requested
• the status code sent back to the client by the server
• the size of the resources requested
• the URL of the website from which the user accessed the current web page or file
• the client program identifier

This data is also stored in our system’s log files. However, it is not stored together with other personal data collected from the user.

The legal basis for the temporary storage of this data is Art. 6 no. 1 lit. f GDPR.

2. Purpose of data processing

This data is used to optimise website use, correct errors, and safeguard the security of our information technology systems. Data collected in this context is not evaluated for marketing purposes.

The above-named purposes also constitute the GFZ’s legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR.

3. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. Log files are deleted within 7 days maximum.

4. Right to object and right to erasure

The collection of data for website provision and the storage of data in log files are absolutely essential to the operation of the website. The user is therefore unable to assert any right to object in this context.

VI. Use of Cookies

1. Description and scope of data processing

The SCARLET website uses cookies. Cookies are text files stored in the user’s web browser or by the web browser on the user’s computer system. Whenever a user accesses a website, a cookie can be stored on that user’s operating system.

Cookies are employed to make the website more user-friendly. Some elements on the SCARLET website require the accessing browser to be identified after the user has moved to another web page.

When accessing the SCARLET website, a configurable cookie banner allows users to either accept or reject cookies and refers them to the SCARLET data protection policy. In this context, users are also informed how the storage of cookies can be prevented by changing the browser settings.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 no. 1 lit. f GDPR.

3. Purpose of data processing

The use of technically necessary cookies is intended to simplify website use. Some of the functions on our website cannot be provided unless cookies are enabled. In these cases, it is essential that the browser is also recognised after accessing another page.

The user data collected by these technically necessary cookies is not used to generate user profiles.

4. Storage period, right to object and right to erasure

Cookies are stored on the user’s computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all the website’s functions in full.

Please note that other cookies may be sent to the user’s device when visiting our website, namely by external platforms such as YouTube, Facebook, Twitter or others.

5. Cloudflare

We use the Content Delivery Network provided by Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München Deutschland (Cloudflare) to harden security while maintaining a fast website. We do this on the base of our legitimate interest under Art. 6 Abs. 1 S. 1 lit. f DSGVO.

More Information can be found at: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf

VII. Contact form and e-mail contact

1. Description and scope of data processing

The SCARLET website contains a contact form that can be used to contact the SCARLET project electronically. If a user makes use of this function, the data entered into the form is sent to the GFZ and stored. If you wish to use this contact form, we need your name and e-mail address. Other information such as telephone numbers can be provided, but this is not essential.

The following additional data is stored at the time you send us your message: see section V. 1: Information in the web server’s log files.

Alternatively, you can contact us using the e-mail address provided. In this case, the personal data transmitted with the user’s e-mail is stored.

Data collected in this context is not forwarded to any third parties. It is used solely to process the correspondence.

2. Legal basis for data processing

Art. 6 no. 1 lit. a GDPR serves as the legal basis for processing data when the user’s consent has been obtained. The legal basis for processing data transmitted when sending an e-mail is Art. 6 par. 1 lit. f GDPR. If an e-mail is sent with the intention of concluding a contract, Art. 6 no. 1 lit. b GDPR constitutes an additional legal basis for the processing of this data.

3. Purpose of data processing

Personal data entered into the input mask is processed solely for the purpose of dealing with the correspondence with the user. This also constitutes the necessary legitimate interest in processing the data collected when contact is made by e-mail.

The other personal data processed during the transmission process (see IV. 1. Information in the web server’s log files) serves to prevent improper use of the contact form and safeguard the security of the information technology systems.

4. Storage period

The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of personal data entered into the contact form’s input mask and personal data sent by e-mail, this is the case when the correspondence with the user is terminated. The correspondence is deemed to have been terminated when it can be inferred from the circumstances that the facts in question have been clarified once and for all.

5. Right to object and right to erasure

The user has the right to withdraw his/her consent to the processing of personal data at any time. If the user contacts us by e-mail, he/she can object to the storage of his/her personal data at any time. It will no longer be possible to continue the correspondence in such a case.

In this instance, all personal data stored during the correspondence will be erased.

VIII. Rights of the data subject

Whenever personal data is processed, the data subject defined in GDPR has the following rights vis-à-vis the data controller:

1. Right to information

Data subjects (users) can request the GFZ’s controller to confirm whether or not the GFZ is processing their personal data.

If this is the case, data subjects are entitled to request the following information from the GFZ’s controller:

1. the purposes for which the personal data is being processed;
2. the recipient or category of recipient to whom your personal data has been or is to be disclosed;
3. the period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine that period;
4. the existence of a right to request the controller to rectify or erase your personal data, to restrict the controller’s processing of your personal data, or to object to such processing;
5. the existence of a right to complain to a supervisory authority;
6. where the personal data is not collected from the data subject, any available information as to its source.

2. Right to rectification

Data subjects have the right to request the GFZ’s controller to rectify and/or complete their personal data insofar as that of their personal data being processed is incorrect or incomplete. In such cases, the GFZ’s controller must rectify the data immediately.

3. Right to restriction of processing

Data subjects are entitled to request restrictions on the processing of their personal data in the following circumstances:

1. if the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data;
2. if the controller no longer needs the personal data for the purposes for which it was processed but it is still required by the data subject for the establishment, exercise, or defence of legal claims;
3. if the data subject has objected to the processing of his/her data pursuant to Article 21 no. 1 GDPR and it has not yet been established whether the legitimate grounds of the GFZ override those of the data subject.

If the processing of the data subject’s personal data has been restricted, this data may – with the exception of storage – only be processed with the data subject’s consent, or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest within the EU or an EU member state.

A data subject who has obtained restriction of processing under the conditions specified above must be informed by the GFZ’s data controller before the restriction of processing is lifted.

4. Right to erasure

a) Erasure obligation

The data subject may request the controller to erase his/her personal data without delay, in which case the controller is obliged to erase the data without delay where one of the following grounds applies:

1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2. The data subject withdraws the consent on which the processing is based pursuant to Art. 6 no. 1 lit. a or Art. 9 no. 2 lit. a GDPR, and there are no other legal grounds for the processing.
3. The data subject objects to the processing of his/her data pursuant to Art. 21 no. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of his her data pursuant to Art. 21 no. 2 GDPR.
4. The user’s personal data was processed unlawfully.
5. The personal data has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject.

b) Information to third parties

If the GFZ’s controller has made the data subject’s personal data public and is obliged pursuant to Art. 17 no. 1 GDPR to erase it, the controller, taking account of the technology available and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, his/her personal data

c) Exceptions

No right of erasure exists if the data has to be processed

1. to exercise a right to freedom of speech and information;
2. for compliance with a legal obligation according to which processing is required by EU or member state law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health pursuant to Art. 9 no. 2 lit. h, i and Art. 9 no. 3 GDPR;
4. for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 no. 1 GDPR, insofar as the right referred to in point a is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
5. for the establishment, exercise, or defence of legal claims.

5. Right to notification

If the data subject exercises his/her right to rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this to all recipients to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

The GFZ’s controller is obliged to inform the data subject about these recipients if so requested.

6. Right to object

The data subject has the right to object at any time, on grounds relating to his/her particular situation, to any processing of his/her personal data effected on the basis of Art. 6 no. 1 lit. e or f GDPR.

If this right is exercised, the GFZ’s controller will cease processing this personal data unless he/she can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or if the data has to be processed for the establishment, exercise, or defence of legal claims.

7. Right to revoke the declaration of consent provided in compliance with data protection legislation

The data subject has the right to withdraw his/her consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing effected on the basis of the data subject’s consent before its withdrawal.

8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of his/her habitual residence, place of work, or place of the alleged violation, if the data subject considers that the processing of his/her personal data violates the GDPR.

9. Right to data portability

Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

In order to assert the right to data portability, the data subject may at any time contact adela.marian@rifs-potsdam.de.

10. Automated individual decision-making, including profiling

Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not based on the data subject’s explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject’s explicit consent, the RIFS Potsdam shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact adela.marian@rifs-potsdam.de.