Data security

/Data security
Data security2019-04-15T16:23:50+00:00

Privacy Information

Privacy protection notes for participants in market research studies


Privacy Protection Declaration

This Privacy Protection Declaration informs you of the type, extent, and purpose of data processing of personal data (hereafter briefly “data”) as part of our online offering and the websites, functions, and content associated with it as well as external online presences, such as social media profiles (hereafter jointly referred to as “online offering”). For more on the terminology used, such as “personal data” or its “processing”, we refer you to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Project owner:
Name/Company: HEUTE and MORGEN GmbH
Address: Breite Str. 137-139
ZIP/City, Country: 50667 Cologne, Germany
Commercial register No.: Commercial Register Cologne HRB 67971
Managing Directors: Dr. Michaela Brocke, Tanja Höllger, Robert Quinke, Axel Stempel
Phone: +49(0)221-995005-0
E-mail address:

Data Protection Officer:
Name/Company: isdacom GmbH, Simone Lennarz
Address: Forsbachstraße 19
ZIP/City, Country: 51145 Cologne, Germany
Phone: +49(0)2203-1836791
E-mail address:

Processed data:

  • Master data (e.g. names, addresses).
  • Contact data (e.g. e-mails, phone numbers).
  • Content data (e.g. text entries, images, videos).
  • User data (e.g. visited websites, interest in content, access times).
  • Meta/communication data (e.g. device information, IP addresses).

Processing special categories of data (Art. 9 Para. 1 GDPR):

  • We generally do not process special data categories, unless they user entered them into the processing, e.g. in online forms.

Categories of persons affected by the processing (data subjects):

  • Visitors and users of the online offering.

In the following we will also refer to the data subjects simply as “users”.

Purpose of processing:

  • Provision of online offering, seiner its content, and functions.
  • Reply to contact requests and communication with users.
  • Marketing, advertising, and market research.


As of: 04.05.2018

1. Applicable legal basis
Pursuant to Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not specified in the Privacy Protection Declaration, the following shall apply: the legal basis for collecting consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR, the legal basis for processing in order to perform our services and contractual measures as well as reply to inquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing to meet our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing in order to protect our legitimate interests is Art. 6 Para. 1 lit. f GDPR. In the case that vital interests of the data subject or another natural person requires the processing of personal data, Art. 6 Para. 1 lit. d GDPR shall serve as legal basis.

2. Changes and updates to the Privacy Protection Declaration
We ask you to check the content of our Privacy Protection Declaration on a regular basis. We adjust the Privacy Protection Declaration as soon as changes to the data processing we perform requires this. We inform you as soon as the changes require you to take action (e.g. consent) or when another type of individual notification becomes necessary.

3. Security measures
3.1. Pursuant to the regulations of Art. 32 GDPR and in consideration of the state of the technology, implementation costs, and the type, extent, circumstances, and purpose of the processing as well as the different probabilities and severity of the risks to the rights and liberties of natural persons, we take suitable technical and organizational measures to prevent a level of protection commensurate with the risk; these measures include in particular ensuring the confidentiality, integrity, and availability of data by controlling the physical access to the data, as well as its access, entry, disclosure, availability, and separation. Furthermore, we have installed procedures to ensure that the rights of the data subjects are protected, deletion of data, and reaction to risks to the data. Furthermore, we account for the protection of personal data already during the development / selection of hardware, software, and processes, corresponding to the principle of privacy protection through technology design and privacy-friendly settings (Art. 25 GDPR).
3.2. The security measures include in particular the encrypted transfer of data between your browser and our server.

4. Cooperation with contractual processors and third parties
4.1. If we disclose data to other persons and companies (contract processors or third parties) as part of our processing, transfer it to them or grant them access in any other manner, this occurs only in there is a legal basis (e.g. if it is necessary to transfer the data to third parties, like payment service providers, to fulfill the contract pursuant to Art. 6 Para. 1 lit. b GDPR), if you have provided consent, if a legal obligation requires this, or based on our legitimate legal interests (e.g. when using subcontractors, web hosts, etc.).
4.2. If we hire third parties to process data based on a so-called “processing contract”, this is based on Art. 28 GDPR.

5. Transfer to non-EU/EEA countries
If we process data in a non-EU/EEA country (i.e. outside of the European Union (EU) or European Economic Area (EEA)) or if this occurs due to the use of third-party services or if there is any disclosure / transfer of data to third parties, this can only occur if it is necessary to fulfill our (pre-) contractual duties, with your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permission, we process or leave the data in a non-EU/EEA country only if specific conditions are given as specified in Art. 44 et seq. GDPR. I.e. the processing is based on specific guarantees, like the officially recognized determination of a privacy protection level corresponding to that of the EU (e.g. in the USA with the “Privacy Shield”) or adherence to officially recognized special contractual obligations (so-called “standard contract clauses”).

6. Rights of data subjects
6.1. You have the right to obtain a confirmation as to whether applicable data are processed and information concerning this data as well as additional information and a copy of the data pursuant to Art. 15 GDPR.
6.2. Pursuant to Art. 16 GDPR, you have the right to demand the completion of your data or correction of incorrect data.
6.3. Pursuant to Art. 17 GDPR, you have the right to demand that applicable data be deleted immediately and/or pursuant to Art. 18 GDPR the processing of the data be restricted.
6.4. Pursuant to Art. 20 GDPR, you have the right to demand that data that you have provided to us be transferred to you or other persons.
6.5. Pursuant to Art. 77 GDPR, you also have the right to file a complaint at the respective regulatory agency.

7. Cancellation rights
Pursuant to Art. 7 Para. 3 GDPR, you have the right to cancel any issued consent with effect for the future.

8. Right to object
Pursuant to Art. 21 GDPR, you may object to the future processing of your data at any time. The objection can be submitted in particular against the processing for the purpose of direct marketing.

9. Cookies and the right to object against direct marketing
We use temporary and permanent cookies, i.e. small files which are stored on the devices of users (see final section of this Privacy Protection Declaration for an explanation of the term and its function). Cookies partly serve for security or are necessary to use our online content (e.g. to display the website) or to save the user response when confirming a cookie banner. In addition, our technology partners use cookies for reach measurement and marketing purposes. The users are informed of this in the Privacy Protection Declaration.
A general objection to the use of cookies used for online marketing can be filed with a variety of services, especially in case of tracking, via the US site or the EU site Furthermore, the storage of cookies can be disabled in the browser settings. Please note that this may prevent you from using certain functions of this online content.

10. Deletion of data
10.1. The data we process is deleted pursuant to Art. 17 and 18 GDPR or their processing is restricted. Unless explicitly stated in this Privacy Protection Declaration, the data we store are deleted as soon as they are no longer necessary for their intended purpose and there are no legal archiving duties that prevent this. If the data is not deleted because they are necessary for other, legally permissible purposes, their processing is restricted. I.e. the data is blocked and not processed for other purposes. This applies for instance to data that needs to be stored for commercial or tax reasons.
10.2. Pursuant to legal regulations, the data are archived in particular for 6 years pursuant to § 257 Para. 1 HGB (accounting books, inventories, opening balance sheets, annual financial reports, commercial letters, posting receipts, etc.) and for 10 years pursuant to § 147 Para. 1 AO (books, records, management reports, posting receipts, commercial and business letters, documents relevant for tax filings, etc.).

11. Provision of contractual services
11.1. We process existing data (e.g. names, addresses, and contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of meeting our contractual obligations and services pursuant to Art. 6 Para. 1 lit b. GDPR. The information labeled mandatory in online forms are required to conclude the contract.
11.2. During the registration and new logins as well as when using our online services, we store the IP address and time of the respective user action. This data is stored based on our legitimate interest and the protection of users against abuse and other unauthorized use. This data is generally not disclosed to third parties, unless it is necessary in the pursuit of our claims or there is a legal requirement to do so pursuant to Art. 6 Para. 1 lit. c GDPR.
11.3. We process usage data (e.g. visited websites of our online content, interest in our products) and content (e.g. entries in contact form or user profile) for advertising purpose in a user profile in order to display e.g. product information to the users based on the services they have used previously.
11.4. The data is deleted after the expiration of statutory guarantee and comparable duties. The necessity of data archiving is reviewed every three years; in case of statutory archiving requirements, the data is deleted after these expire (end of archiving duty under commercial law (6 years) and tax law (10 years)); information in the customer account remains until it is deleted.

12. Contacting us
12.1. When contacting us (per contact form or e-mail), the information of the user is used to process the contact inquiry and its implementation pursuant to Art. 6 Para. 1 lit. b) GDPR.
12.2. The information of the user may be stored in our customer relationship management system (“CRM System”) or comparable inquiry organization systems.
12.3. We use the CRM system vtiger based on our legitimate interests (efficient and fast processing of user inquiries). Your data is stored on a server hosted by us to which we have access.
12.4. We delete the inquiries as soon as they are no longer necessary. We review the necessity of storage every two years; we store inquiries from customers who have a customer account permanently and refer to the information about customer accounts concerning data deletion. In case of statutory archiving duties, the data is deleted when they expire (archiving duty under commercial law (6 years) and tax law (10 years)).

13. Collection of access data and log files
13.1. Based on our legitimate interests as defined in Art. 6 Para. 1 lit. f. GDPR, we collect data on every access to the server on which the service is located (so-called server log files). The access data includes name of the retrieved website, file, date and time of retrieval, transferred data quantity, report on successful retrieval, browser type incl. version, operating system of the user, referring URL (the previously visited site), IP address, and the requesting provider.
13.2. For security reasons (e.g. to investigate abusive or fraudulent activities), log file information is stored for a maximum of seven days and then deleted. Data which needs to be stored as evidence is exempt from deletion until final clarification of the respective incident.

14. Cookies & reach measurement
14.1. Cookies are information that is transferred from our or third-party web servers to the web browsers of users and stored there to be called up at a later point in time. Cookies may be small files or other types of information storage.
14.2. We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. in order to store your login status or the shopping cart function and thus the use of our online services in the first place). A randomly generated, unique ID number is deposited in a session cookie, the so-called session ID. In addition, a cookie contains the information about its origin and storage duration. These cookies cannot save any other data. Session cookies are deleted once you concluded the use of our online services and e.g. log out or close the browser.
14.3. Users are informed about the use of cookies for pseudonym reach measurements in this Privacy Protection Declaration.
14.4. If users do not wish cookies to be stored on their computers, we ask that they deactivate the use of cookies with the corresponding option in the system setting of their browser. Stored cookies can be deleted in the system settings of the browser. Blocking cookies can lead to limited functionality of these online services.
14.5. You can object to the use of cookies that serve for reach measurement and advertising purposes via the deactivation page of the network advertising initiative ( and the US website ( or the European website (

15. Google Analytics
15.1. We use Google Analytics, a web analysis service offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland („Google“). Google uses cookies. The information created by the cookie about the users of this website is generally transmitted to a Google server in the USA and stored there.
15.2. Google will use this information on our behalf to evaluate the users’ use of the website, to compile reports about the website activities and to provide other services associated with the use of this website and Internet usage. In this process, pseudonymous user profiles can be created for the users.
15.3. We only use Google Analytics with activated IP anonymization. This means that Google abbreviates the users’ IP address within member states of the European Union or in other countries that are parties to the agreement in the European Economic Area. The full IP address is transmitted to a Google server in the United States and abbreviated there only in exceptional cases.
15.4. The IP address transmitted by the user’s browser is not integrated with any other data from Google. Users can prevent the storage of cookies with a corresponding browser setting; furthermore, users can prevent the recording of the data generated by the cookie and referring to their website use by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available at this link:
15.5. If we ask the users for consent (e.g., in the context of cookies), the legal basis of this processing is Art. 6 Para. 1 lit. a. GDPR. Otherwise, the personal data of the users are processed based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR).
15.6. If data is processed in the US, we point out that Google is certified according to the privacy shield agreement and thus offers the guarantee of complying with the European Data Protection Act. (
15.7. You can get further information about the data use by Google, setting and cancellation options on Google’s websites: ( as well as in the settings for advertisements provided by Google (
15.8. The personal data of users will be deleted or anonymized after 14 months.

16. Newsletter
16.1. In the following we inform you of the content of our newsletters and the subscription, shipping, and statistical analysis procedure as well as your opt-out rights. By subscribing to our newsletter, you declare your consent to receiving the newsletter and the described procedure.
16.2. Content of the newsletters: we send newsletters, e-mails, and other electronic messages with advertising information (hereafter “newsletter”) only with the consent of the recipients or legal permission. If the content of a newsletter is specifically described as part of a registration, it is decisive for the consent of the user. Otherwise, our newsletters contain information about products, deals, promotions, and our company.
16.3. Double-opt-in and logging: the registration to our newsletter employs a so-called double-opt-in procedure. I.e. you receive an e-mail after registration which asks you to confirm the subscription. This confirmation is necessary to prevent users from registering with e-mail addresses that are not theirs. Registrations for the newsletter are logged to be able to trace the subscription process in accordance with legal requirements. This includes storing the registration and confirmation time, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.
16.4. Shipping service provider: the newsletter is sent using “MailChimp”, a newsletter shipping platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can view the privacy protection regulations of the shipping service provider here: The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy-Shield treaty and thus guarantees adherence to the European level of privacy protection (
16.5. Furthermore, according to the shipping service provider, he may use this data in pseudonymized form, i.e. without assigning it to a user, in order to optimize or improve its own services, e.g. for the technical optimization of shipping and the representation of the newsletters or for statistical purposes in order to determine from which countries the recipient come. However, the shipping service provider does not use the data of our newsletter recipients to contact them himself or pass it on to third parties.
16.6. Subscription data: in order to subscribe to the newsletter it is sufficient to provide your e-mail address. As an option we ask that you provide a name so that we can address you personally in the newsletter.
16.7. Success measurement – the newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is accessed from the server of the shipping service provider when the newsletter is opened. This access collects technical information, such as information about your browser and your operating system, as well as your IP address and time of access. This information is used for the technical improvement of the services using the technical data or the target groups and their reading behavior using their access locations (determined through the IP address) or the access times. The statistical data collection also includes the determination whether the newsletter are opened, when they are opened, and which links are clicked. For technical reasons, this information can be associated with individual newsletter recipients. However, neither we nor the shipping service provider wish to monitor individual users. The analysis serves to detect the reading habits of our users and adapt our content to them or deliver content based on the interest of our users.
16.8. The delivery of the newsletter and success measurement are based on the consent of the recipient pursuant to Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Para. 2 No. 3 UWG and based on the legal permission pursuant to § 7 Para. 3 UWG.
16.9. The subscription process is logged based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR and serves as evidence of consent to the receipt of the newsletter.
16.10. Cancellation – you can cancel receipt of our newsletter at any time, i.e. withdraw your consent. You can find a link to the cancelation page for the newsletter at the end of each newsletter. If users have subscribed only to the newsletter and cancel this subscription, their personal data is deleted.

17. Integration of third-party services and content
17.1. Based on our legitimate interests (i.e.. interest in analysis, optimization and economical operation of our online services as defined in Art. 6 Para. 1 lit. f. GDPR), our online services use content or services offered by third parties in order to integrate their content and services, such as videos or fonts (hereafter uniformly called “content”). This presupposes that the third-party providers can see the IP address of the users, since it is not possible to send content to their browsers without IP address. The IP address is thus necessary to depict this content. We strive to only use such content whose providers use the IP address only to delivery content. Third-party providers may use so-called pixel tags (invisible graphics, also referred to as web bacons) for statistical or marketing purposes. These web beacons can be used to analyze information such as visitor traffic on these pages. The pseudonymous information may also be stored in cookies on the device of the user and contain technical information on browser and operating system, referring websites, visiting times, and other information about the use of our online services and may also be connected with such information from other sources.
17.2. The following representation provides an overview of third-party providers and their contents, plus links to their Privacy Protection Declarations, which contain additional information on data processing and opt-out possibilities: