Privacy Policy of WISTA Management GmbH

1. Definitions

This privacy notice of WISTA Management GmbH is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our privacy policy shall be easily readable and comprehensible for both the public and our customers and business partners. To ensure this, we will explain the terminology used in advance.

We use the following terms in this privacy policy:

a) Personal data

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more identifiers specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

b) Data subject

Data subject means any identified or identifiable natural person whose personal data is processed by the data processor.

c) Processing

Processing refers to any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, request, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

e) Profiling

Profiling refers to any form of automated processing of personal data used to evaluate certain personal aspects related to a natural person, particularly to analyse or predict aspects concerning their work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

g) Controller and joint controller

The controller or joint controller is the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

h) Processor

A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

i) Recipient

Recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

j) Third party

A third party is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorised to process personal data under the direct authority of the controller or processor.

k) Consent

Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which the data subject, in the form of a statement or clear affirmative action, signifies agreement to the processing of their personal data.

2. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation, other applicable data protection laws in EU Member States, and other provisions related to data protection is:

WISTA Management GmbH
Rudower Chaussee 17
12489 Berlin
Germany

3. Name and address of the data protection officer

You can reach our data protection officer under the address stated above or via the following email address:

datenschutz(at)wista.de

Any data subject may contact our data protection officer directly at any time with questions or suggestions regarding data protection.

4. Your rights

We are happy to provide you with information as to whether and which of your personal data are processed by us and for which purposes (Art. 15 GDPR). In addition, under the respective legal conditions, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR).

You have the right to object to processing under the conditions set out in Art. 21 GDPR).

You may object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6 (1) (e) (Processing in the public interest) or Art. 6 (1) (f) (Processing based on legitimate interests); this also applies to profiling based on these provisions. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defence of legal claims (Art. 21 (1) GDPR).

If personal data are processed for direct marketing purposes, you have the right to object at any time to such processing of personal data for the purpose of such marketing, including profiling related to direct marketing (Art. 21 (2) GDPR).

To exercise your rights, please contact us via email at datenschutz(at)wista.de or by post to WISTA Management GmbH, Rudower Chaussee 17, 12489 Berlin. Exercising your rights is free of charge.

Regardless of these rights, you have the right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).

5. Purposes and legal basis for data processing

The processing of personal data can be based on various legal grounds. If we process your data to fulfil a contract with you or respond to your enquiries regarding a contract, the legal basis is Art. 6 (1) (b) GDPR. If we obtain your consent for a specific processing, the legal basis is Art. 6 (1) (a) GDPR. Some data processing is carried out based on our legitimate interest, always ensuring a balance is struck between your legitimate interests, worthy of protection, and our legitimate interests. The legal basis for this is Art. 6 (1) (f) GDPR. Insofar as the processing is necessary to fulfil a legal obligation to which we are subject, the legal basis is Art. 6 (1) (c) GDPR.

In the following, we explain how we process personal data through our websites.

5.1. Contacting us

When you contact us by email, we store the data you provide (your email address, and, if applicable, your name and telephone number) in order to respond to your enquiries and handle your request. The legal basis in this respect is Art. 6 (1) (f) GDPR.

If you provide additional information not required for contacting us, you do so voluntarily. If we request information that is not necessary for processing your enquiry, we always mark it as optional. This information serves to specify your enquiry and enables us to handle your request more effectively. The provision of such information is explicitly voluntary and based on your consent, Art. 6 (1) (a) GDPR. If this includes details of communication channels (e.g., an additional email address or telephone number), you also consent to us using these channels to contact you, if necessary, to respond to your enquiry. You can, of course, revoke this consent at any time for the future.

The data we receive from you in the course of contacting us will be deleted once it is no longer required for the purpose for which it was collected, your concern has been fully dealt with, and no further communication with you is necessary or desired by you.

If you want to send us feedback, you can send your feedback/your comment directly to us by clicking the send button. As part of this feedback function, we collect, process, and store your name and email address. We collect process and store this data only to the extent necessary for processing your feedback. The legal basis for the collection and processing of your personal data is Art. 6 (1) (f) GDPR.

In addition, you can request quotes for event venues and tickets, advertising placement, ticket reservations, or guided tours via the online request form on our website. When you contact us using this form, the data you provide (your email address, name, and, if applicable, telephone number) will be processed by us in order to handle your enquiry and provide you with a quote, Art. 6 (1) (a) (b) GDPR.

As the data controller, WISTA Management GmbH has implemented a range of technical and organisational measures to ensure the most comprehensive protection possible for the personal data processed via this website. Nevertheless, internet-based data transmissions may generally have security gaps. Absolute protection cannot be guaranteed, particularly as sending unencrypted emails is not secure. We therefore request that sensitive data is not sent by means of unencrypted email, but through either encrypted communication channels (e.g., our contact form) or postal mail.

5.3. Your publications (ads, event postings, etc.)

You have the opportunity to publish notices about your events, news articles, advertisements, and classified ads with us.

Advertisements and classified ads are published on www.adlershof.de and can be found via the search function on www.wista.de.

The publication of events and news articles takes place on the following platforms:

• Our websites www.wista.de, www.adlershof.de and/or charlottenburg.wista.de
• Our newsletters

If you would like your content to be published on a specific platform from the options above, please let us know in the comments field or via email at website(at)wista.de. If no preference is indicated, we will decide where to publish it based on the relevance to the respective site. Published content can be found using the search function on www.wista.de.

We do NOT publish personal data that have been provided solely for the purpose of submission (such as your email address used for submission). The following data are transmitted to us:

• Your email address

We use this data to clarify any queries and to send you any suggested changes if necessary. Storing your email address is also required to be able to defend us against liability claims in the event of potentially unlawful content being published. Furthermore, we require your email address to contact you should a third party report your contribution as unlawful. The processing of your data is based on Art. 6 (1) (1) (b) and (f) GDPR.

We reserve the right to filter out spam content. The legal basis for this is our legitimate interest in publishing only serious content, as per Art. 6 (1) (1) (f) GDPR.

Personal data included in your submitted advertisement, event posting, classified ad, news article, etc. (e.g., a contact person listed in a flyer or text) will be published. The legal basis for processing this data is Art. 6 (1) (b) GDPR.

We reserve the right to make editorial changes to the content you submit.

Your data will be deleted once storage is no longer required. If legal retention obligations apply, data will be stored until these obligations expire and no further retention reasons under Art. 17 (3) GDPR. Published content remains accessible, so please ensure that you have a legal basis for possible instances of sharing personal data with us and for its publication. We reserve the right to delete or remove unlawful content.

5.3. Job applications via our application portal

Applications must be submitted exclusively via the application portal wista.connectoor.de. Unsolicited applications can be sent to WISTA Management GmbH via app.connectoor.de/jobview?jobid=6319b785ddb233296b8b4573. In both cases, your online application is forwarded directly to the HR department via an encrypted connection and is, of course, treated confidentially. Should you nonetheless choose to apply by email, please be aware that sending unencrypted emails or email attachments is not secure. Furthermore, there is no guarantee that your email application will be considered.

Your details will be used for processing your application and deciding on the formation of an employment relationship. The legal basis for this is Section 26 (1) in conjunction with Section 26 (8) 2 BDSG and Art. 6 (1) (1) (b) GDPR. Additionally, your personal data may be processed if necessary for the defence against legal claims asserted against us from the application process. The legal basis for this is Art. 6 (1) (f) GDPR. The aforementioned purposes also constitute the legitimate interest in the processing of your data.

Should an employment relationship arise between you and us, we may further process the personal data already received from you for the purposes of the employment relationship in accordance with Section 26 (1) BDSG and Art. 6 (1) 1 (b) GDPR, if this is necessary for fulfilling a contract, implementing or terminating the employment relationship, or exercising or fulfilling rights and obligations arising from a law, collective agreement, works agreement, or service agreement (collective agreement) regarding employee representation.

Your application data will not be processed beyond this described usage.

Your personal data will be deleted no later than six months after the conclusion of the application process, unless there are other legitimate interests on our part that prevent deletion, or you have given us consent for longer storage. An example of such a legitimate interest would be an obligation to provide evidence in proceedings under the General Act on Equal Treatment.

Further information on data protection in our application portal can be found here: app.connectoor.de/agreements?organisation=wista&page=datenschutz.

To manage our career portal, we use Connectoor. The provider is jobEconomy GmbH, Meinekestr. 26, 10719 Berlin, Germany. Connectoor facilitates the display of our job postings, thereby promoting the application process and increasing the visibility of our vacancies. The legal bases for processing within Connectoor are Section 26 (1) BDSG, Art. 6 (1) (1) (b) GDPR, and our legitimate interest in a smooth and modern application process, Art. 6 (1) (f) GDPR. We have entered into a data processing agreement with the provider in accordance with Art. 28 GDPR to protect your data.

The provider’s privacy policy can be found here: https://www.connectoor.com/datenschutz/.

5.4. Collection of general data when accessing the website

When you use our website for informational purposes only, meaning you do not register or otherwise provide us with information (e.g., via a contact form), we collect the following technical information (log file data):

• the volume of data retrieved
• the current IP address of the device with which you access our website
• the date and time of access
• the URL of the previously visited website (referrer)
• the URL of the (sub)page you access on our website

The collection of this data is technically necessary to display our website to you and to ensure stability and security. Neither we nor our service provider generally know who is behind an IP address. We do not merge the above-listed data with other data.

The legal basis for this processing is Art. 6 (1) (1) (f) GDPR. Where an absolutely necessary access to information stored in the user’s device takes place, Section 25 (2) 2 TDDDG also applies.

As the collection of data for the provision of the website and the storage in log files are essential for the operation of the website and for protection against misuse, our legitimate interest in data processing outweighs other interests in this context.

5.5. Subscription to our newsletters

Users of the website are given the opportunity to subscribe to various newsletters from our company.

WISTA Management GmbH regularly informs its customers and business partners about company offers and news from the WISTA-managed sites via a newsletter. You can only receive our company’s newsletter if (1) you have a valid email address and (2) you have registered for the newsletter via the registration form.

The legal basis for sending the newsletter is your consent pursuant to Art. 6 (1) (a) GDPR, or the legal permission under Section 7 (3) of the German Act Against Unfair Competition (UWG). The only mandatory information for sending the newsletter is your email address.

We use the so-called double opt-in procedure for newsletter registration. This means that after you register, we will send an email to the provided address, asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration, your details will be automatically deleted after 14 days.

Once you confirm, we will store your email address for the purpose of sending the newsletter until you revoke your consent. Additionally, we will store your current IP address at the time of registration, the time of registration, and the confirmation for up to three years after registration (statutory limitation period). The aim of this procedure is to be able to prove your registration in case of doubt and to investigate any misuse of your personal data if necessary. The legal basis for logging the registration is our legitimate interest under Art. 6(1)(f) GDPR in proving a previously given consent, as also outlined in Art. 7 (1) GDPR.

You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can do so by clicking the link provided in each newsletter email or by sending an email to website(at)wista.de.

5.6. Events with invitation management

We use the online software Sweap, provided by MATE Development GmbH, Rankestraße 9, 10789 Berlin, to organise events and manage guests. In doing so, we as the organiser put in data from guests and participants, which are processed exclusively within the EU/EEA on our behalf. We have signed a data processing agreement with Sweap’s provider to this end.

The following contact data are processed:

• the user’s first and last name,
• the user’s email address,
• the user’s phone number and/or mobile phone number.

In addition, technical user data is collected, including:

• the name of the accessed website,
• the file name,
• the date and time of the retrieval,
• the amount of data transferred, confirmation of successful retrieval, and browser type/version,
• consent via double opt-in procedure,
• the user’s operating system, referrer URL, IP address, and requesting provider.
• When using a mobile device, additionally: country code, language, device name, operating system, OS version.

Depending on the type of data, processing is based on Art. 6 (1) (a) or (b) GDPR.

More information and the Sweap’s privacy policy can be found here: https://www.sweap.io/en/privacy-policy.

5.7. Cookies

Cookies are data placed on your computer by a website you visit, allowing your browser to be recognised when you return. Cookies transmit information to the website that sets them. Cookies can store various types of information, such as your language preference, the duration of your visit to our website, or your inputs to the site. This helps avoid, e.g., having to re-enter form data every time you visit. The information stored in cookies can also be used to recognise preferences and tailor content to your interests.

There are different types of cookies: Session cookies are data that are temporarily stored in memory and deleted when you close your browser. Persistent cookies are automatically deleted after a set period, which can vary depending on the cookie. The information may also be stored in text files on your computer. However, you can delete these cookies at any time using your browser settings.

First-party cookies are set by the website you are visiting. Only this website can read information from these cookies. Third-party cookies are set by organisations that are not the provider of the website you are visiting. These cookies are used by marketing companies, for instance.

The legal bases for any processing of personal data through cookies and their retention periods may vary. If you have given us consent, the legal basis is Art. 6 (1) (a) GDPR. If the data processing is based on our overriding legitimate interests, the legal basis is Art. 6 (1) (f) GDPR. The stated purpose than functions as our legitimate interest.

If we access a device you use via cookies or similar technologies, as per Section 2 (2) (6) TDDTG, by storing or reading information regardless of personal reference, we will obtain your voluntary, informed consent for this purpose as per Section 25 (1) TDDTG.

Where consent under both the GDPR and the TDDTG can be consolidated, we will obtain this consent uniformly.

No consent under the TDDTG is required for accessing information already stored on your device and sent to us actively, such as the public IP address of the device, the address of the website you visited, the user-agent string with browser and operating system version, and the set language.

Additionally, no consent under the TDDTG is required if the cookie or similar technology is used to ensure the transmission of a message over a public telecommunications network (Section 25 (2) (1) TDDTG), or where the setting of the cookie and the storage of information on your device or access to information already stored on your device is essential for providing a telemedia service you have expressly requested (Section 25 (2) (2) TDDTG).

We use cookies to ensure the proper operation of the website and to provide essential functionalities. We do not use cookies that require consent.

You can delete cookies already stored on your device at any time. If you wish to prevent cookies from being stored, you can do so through your browser settings. Alternatively, you can install software called ad blockers. Please note that some functions of our website may not work if you have disabled the use of cookies.

5.8. Contentfry

We use several social media channels to communicate with you and have therefore set up a Social Wall to consolidate our communications with you. On our website, we provide a link to this Social Wall to display our social media content. To do so, we use the service Contentfry, provided by Contentfry GmbH, Vogtsrain 45, 8049 Zürich, Switzerland, which aggregates relevant social media channels and displays them on a website linked by us.

The content from the following social media providers is displayed via Contentfry on the Social Wall:

• Meta Platforms Inc. (Facebook and Instagram)
• YouTube
• LinkedIn

When interacting with the respective content (clicking on the Social Wall, viewing content), a connection is made to Contentfry’s servers, and Contentfry collects data (see below). This happens even if you are not logged into the respective social media platform or do not have an account with them.

By clicking on the Social Wall, the following data is transferred to Contentfry:

• Technical and analytical data (e.g., device used, browser, URL, number of accesses) – for security reasons and to ensure functionality
• Behavioural data in relation to the displayed content

The data stored by Contentfry primarily relates to the social media accounts displayed, such as our accounts and posts. However, it is also possible that other publicly accessible social media content will be aggregated and made available to us by Contentfry, for example, if our posts are commented on or liked. This includes content (text, video, image), location, user name, profile name, and profile picture.

Contentfry does not store cookies on its Social Walls and does not track visitors to our website.

According to the provider, no data is transmitted to the social media providers.

If Contentfry is used without the Content Delivery Network (CDN) add-on, it is possible that cookies from the social media providers may be transferred to Contentfry when viewing the Social Wall. To protect your data from being transmitted to the social media providers via their cookies, we have opted for Contentfry’s CDN add-on. This ensures that the social media profile or content is not directly sourced from the social networks but is first stored by Contentfry and then delivered without any cookies through the Contentfry domain. This prevents the social networks from tracking which client requested the images.

We do not use a Contentfry plugin but simply link to the Social Wall. You can give your consent for data transfer to Contentfry via an activation button on our website. No content from the Social Wall or Contentfry will be displayed, and no personal data will be transferred to Contentfry if you have not clicked the activation button and given your consent. Once you click the activation button, your data will be transferred to Contentfry, and the content of the Social Wall will be loaded. The activation button is located above the greyed-out area where the content will be loaded after your consent.

The use of Contentfry is based on Art. 6 (1) (a) GDPR and Section 25 (1) TDDTG. Your consent can be revoked at any time, with effect for the future.

5.9. OpenStreetMap

The websites of WISTA Management GmbH embed maps from the service provided by OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom (wiki.osmfoundation.org/wiki/Main_Page). OpenStreetMap allows us to embed interactive maps on our website. For the correct display of the maps, it is technically necessary to make requests to the server tile.openstreetmap.org. Through these requests, it is possible that information about your use of this website (including your IP address and location data) may be transmitted to and stored on other servers. To our knowledge, OpenStreetMap uses the data of users solely for the purpose of displaying the map features and caching the chosen preferences. Further information on OpenStreetMap and the storage duration of the collected data can be found with the provider or at www.openstreetmap.de/faq.html or wiki.osmfoundation.org/wiki/Privacy_Policy.

The legal basis for the processing is your voluntary consent under Art. 6 (1) (a) GDPR and Section 25 (1) TDDTG. The consent can be revoked at any time.

You can give your consent for the data transmission to OpenStreetMap via an activation button on our website. No map content will be displayed, and no personal data will be transferred to OpenStreetMap if you have not clicked the activation button and provided your consent. Once you click the activation button, your data will be transferred to OpenStreetMap, and the map content will be loaded. The activation button is located above the greyed-out area where the map will be loaded after your consent.

If, in the context of data transmission to OpenStreetMap Foundation, a data transfer to the United Kingdom occurs, it should be noted that the United Kingdom has been recognised by the European Commission as having an adequate level of data protection comparable to that of the EU (adequacy decision).

To prevent the data transfer to OpenStreetMap, you also have the option to deactivate the OpenStreetMap service by disabling JavaScript in your browser. However, please note that in this case, the map display on our pages may not function or may only function to a limited extent.

5.10. Use of social bookmarks

This website uses social bookmarks from the following providers:

• LinkedIn (Operator: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
• Facebook (Operator: Meta Platforms Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
• WhatsApp (Operator: WhatsApp Irleand Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

Social bookmarks are internet bookmarks that allow users of such services to collect links and news messages. On our website, these are embedded merely as links to the respective services. After clicking on the embedded image, you will be redirected to the page of the respective provider, which means that only then will user information be transmitted to the respective provider. For information on how your personal data is handled when using these websites, please refer to the respective privacy policies of the providers.

6. Data transfer

In principle, your personal data is not transmitted to third parties unless we are legally required to do so, the transfer is necessary for the performance of the contract, or you have explicitly consented to the transfer of your data beforehand.

External service providers and partner companies, such as IT service providers, will only receive your data to the extent necessary. In such cases, however, the scope of the transmitted data is limited to the required minimum. If our service providers process your personal data on our behalf, we ensure, in accordance with Art. 28 GDPR, that they comply with data protection laws to the same extent. Please also refer to the privacy policies of the respective providers. The respective service provider is responsible for the content of third-party services. However, we conduct checks to ensure that the services comply with legal requirements within reasonable limits.

We are committed to processing your data within the EU/EEA. However, it may occur that we use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection, comparable to the standards within the EU, is established with the recipient before transferring your personal data. This may be achieved, for example, through EU standard contracts, Binding Corporate Rules, or specific agreements that the company may be subject to.

7. Data security

We have implemented extensive technical and organisational security measures to protect your data from accidental or deliberate manipulation, loss, destruction, or unauthorised access. Our security procedures are regularly reviewed and adapted to technological advancements.