Data protection declaration according to Art. 13 and 21 GDPR
for the content and functions of the DiBooq desktop app and the DiBooq mobile app (hereinafter “Services”) of DiBooq GmbH
Status: September 2021
The protection of your personal data is extremely important to us, Dibooq GmbH, Heinrich-Mann-Allee 3B, 14473 Potsdam. That is why we would like to offer you comprehensive transparency with regard to the processing of your personal data. Because only if the processing is traceable to you as the data subject, are you sufficiently informed about the scope, purposes and benefits of the processing. This data protection declaration applies to all processing of personal data carried out by us in the context of the DiBooq desktop app and the DiBooq mobile app. In other words, both as part of the provision of our services in our services and within external online presences, such as our social media fan pages.
The person responsible within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other data protection requirements is
14473 Potsdam (Germany)
+49 179 4918329
In the following referred to as “ responsible person ” or “ we ”.
2. General information on data processing
2.1 Personal data
Personal data are individual details about personal or factual circumstances of a specific or identifiable natural person.
Individual details about personal or factual circumstances are, for example:
- Address, telephone number, email address
- IP address & location data
- Value judgments such as certificates
2.2 This is how we process personal data
We process personal data within the legally permissible limits. This means that data processing operations are based on a legal basis. These are set out in Art. 6 para. 1 GDPR standardized. Most data processing is based on a legitimate interest on our part (Art. 6 Paragraph 1 lit.f GDPR), on processing operations necessary for the execution of the contract (Art. 6 Paragraph 1 lit. Paragraph 1 lit. a GDPR). In the latter case, you will be notified of the consent process separately (e.g. via a cookie banner).
We only process personal data for clear purposes (Art. 5 Para. 1 lit. b GDPR). As soon as the purpose of the processing no longer applies, your personal data will be deleted or protected by technical and organizational measures (e.g. by pseudonymisation).
The same applies to the expiry of a prescribed storage period, subject to the cases in which further storage is necessary for the conclusion or fulfillment of a contract. In addition, there may be a legal obligation to store it for a longer period of time or to pass it on to third parties (in particular to law enforcement authorities). In other cases, the storage period and type of data collected as well as the type of data processing depend on which functions you use in the individual case. We will be happy to provide you with information about this in individual cases, in accordance with Art. 15 GDPR.
2.3 We process these data categories
Data categories are in particular the following data:
- Master data (e.g. names, addresses),
- Contact details (e.g. e-mail addresses, telephone numbers, messenger services),
- Content data (e.g. text input, photographs, videos, content of documents / files),
- Contract data (e.g. subject of the contract, terms, customer category),
- Payment data (e.g. bank details, payment history, use of other payment service providers),
- Usage data (e.g. history in our services, use of certain content, access times),
- Connection data (e.g. device information, IP addresses, URL referrers).
2.4 We take these security measures
In accordance with the legal requirements and taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to your rights and freedoms, we take suitable technical and organizational measures, to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring that your data is stored and processed confidentially, with integrity and available at all times. Furthermore, controls of the access to your data as well as the access, the input, the transfer, the securing of the availability and their separation from the data of other natural persons belong to the security measures that we implement. Furthermore, we have set up procedures that ensure the exercise of the rights of data subjects (see section 5), the deletion of data and reactions in the event of a threat to your data. Furthermore, we take the protection of personal data into account when developing our software as well as through procedures that comply with the principle of data protection through technology design and data protection-friendly default settings.
2.5 This is how we transmit or disclose personal data to third parties
As part of our processing measures for your personal data, it may happen that this data is transmitted or disclosed to other bodies, companies, legally independent organizational units or persons. These third parties can include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that we have integrated into our website. If we transmit or disclose your personal data to third parties, we observe the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.
2.6 This is how a third country transfer takes place
In some cases, we transfer your personal data to a third country, i.e. a country outside the EU or outside the EEA. If we process your data in a third country or if the processing takes place in the context of the use of third-party services in a third country, this will only be done in accordance with the legal requirements.
Furthermore, a transfer to third countries usually only takes place with your express consent. Should this not be available, we assure that we have a contractual or legal authorization to transmit and process your data in the relevant third country. In addition, we only have your data processed by service providers in third countries who have a recognized level of data protection. This means that there must be contractual obligations between us and the service provider in the third country through so-called standard protection clauses of the EU Commission or the service provider in the third country can show data protection certifications and your data will only be processed in accordance with internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).
2.7 Information on the cookies used
Cookies are small text files that contain data from websites or domains you have visited and that are stored on your device (computer, tablet or smartphone). If you access a website, the cookie stored on your device sends information to the person who placed the cookie.
2.7.1 First-party cookies and third-party cookies
Our services can set third-party cookies and enable third parties to place cookies on your device. The difference between a first-party cookie and a third-party cookie is the control over the placement of the cookie. First party cookies are cookies that are specific to the service that created them. Your use enables us to offer an efficient service and to evaluate your user behavior in our services. Third-party cookies are stored on your device by third parties (ie not by us). Although we can allow third parties to access our services in order to place these cookies on your devices, we have no control over the information provided by the cookies or access to this data. This information is fully controlled by the third parties in accordance with their respective privacy policies.
Objectively we differentiate between
- Functional cookies : These cookies are necessary for the basic functions of the services. These cookies enable, for example, a secure login and the storage of the progress of the order processes. Furthermore, they enable us, for example. the storage of your login data, the contents of the shopping cart and the uniform display of page content.
- Statistics cookies : These cookies enable us to analyze the services so that we can measure and improve their performance. You can change your personal settings for the static cookies by clicking on the corresponding opt-out link.
- Marketing cookies : These cookies are used by to provide you with advertising that may be relevant to your interests. These cookies enable, for example, sharing pages on social networks and writing comments. Offers that could match your interests are also displayed. You can change your personal settings for the marketing cookies by clicking on the corresponding opt-out link.
|Cookie name||Cookie function / purpose||Storage period||Type|
|i18n_redirected||Saves the current language setting||1 year||HTTP cookie|
2.7.3 Storage duration of cookies
If we do not provide you with any explicit information on the storage duration of cookies (e.g. in the context of the cookie banner), you can assume that the storage duration can be up to two years. If cookies have been set on the basis of your consent, you have the option at any time to revoke your consent or to object to the processing of your data by cookie technologies (collectively referred to as “opt-out”).
3. Data processing in connection with the use of our services
The use of our services with all their functions goes hand in hand with the processing of personal data. We explain exactly how this happens here.
3.1 Use of our services for information purposes
Calling up our services for informational purposes requires the processing of the following personal data and information: browser type and version, operating system used, address of previously visited websites, address of the device with which you access our services (IP address) and the time of the call our services. All of this information is automatically transmitted by your browser if you have not configured it in such a way that the transmission of the information is suppressed.
These personal data are processed for the purpose of the functionality and optimization of our services, as well as to guarantee the security of our information technology systems. These purposes are also legitimate interests according to Art. 6 Para. 1 lit. f GDPR, the processing is therefore carried out on a legal basis.
3.2. Use after registration
In addition to the purely informational use of our services, you have the option of registering for our services and using our entire range of services. Our services enable you and your users to select various services and access the content they contain.
This use of our services may result in the processing of personal data and information in the manner specified in this section. 3 require.
Some processing steps can also be carried out by third-party providers. The data processing of the third-party providers takes place in accordance with the conditions of the relevant data protection declarations. In the case of data processing with third-party providers, this may be order processing within the meaning of Art. 28 GDPR. This is subject to strict legal requirements, which we comply with in the course of our contractual agreements with our contract processors.
Use after logging in and the associated data processing operations may differ from purely informational use. This data relating to your profile is collected for the purpose of optimization and for the purpose of ensuring the functionality of our offer. These are legitimate purposes according to Art. 6 Para. 1 lit. f GDPR. If your consent is necessary for the processing process, we will obtain it at the appropriate point (e.g. via the opt-in option in the context of a cookie banner when using our service for the first time). If you have any further questions, please do not hesitate to contact us within the scope of your right to information according to Art. 15 Para. 1 GDPR available.
3.3 Contact form / contact via email
We process the personal data you provide to us when you contact us for the purpose of answering your inquiry, your e-mail or your callback request. Processed data categories are master data, contact data, content data, possibly usage data, connection data and possibly contract data. In individual cases, we forward this data to companies affiliated with us or third parties whom we commission to process orders. The legal basis for processing depends on the purpose of making contact.
- Basically it is based on our legitimate interest and thus on Art. 6 Para. 1 lit. f GDPR;
- If the aim is to conclude a contract, the authorization is based on Art. 6 Para. 1 lit. b GDPR.
3.4 User account
3.4.1 Setting up and using a user account
You can create a user account (hereinafter also “profile”) in our services in order to use our services and your features. If you do this, the personal data you provide there will be transmitted to us by your browser and stored in our information technology systems. Your IP address and the time of registration are also saved. When you log into your profile, our service places cookies on your device to enable you to remain logged in – even if you have to reload our services in the meantime. By creating the profile, you can use the functions of our services.
The processing operations associated with creating a profile serve the purpose of being able to assign future usage processes and to be able to call up the entire range of our services. When ordering any additions and products to the platform, the processing of your data also serves to execute the contract and is therefore earmarked and required in accordance with Art. 6 Para. 1 lit. b GDPR.
The storage of the IP address and the time of registration is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why processing is also carried out in accordance with Art. 6 Para. 1 lit. f GDPR is lawful.
The personal data you have entered is stored until your profile is deleted by us, and beyond that only for as long as processing is necessary to fulfill the contract.
A transfer of data to third parties is not intended.
3.4.2 Login & Registration
In order to be able to use our services, you must first register. We then create a user profile to which the specific information about your registration can be assigned. You can only register with your email address. The processing of your personal data as part of the registration is necessary so that we can verify your registration and each registration process. The legal basis for data processing is Art. 6 Para. 1 lit. b GDPR.
3.5 web hosting
3.5.1 Provision of our services
In order to be able to provide you with our services, we use the services of a web hosting provider. Our services are accessed from the servers of these web hosting providers. For these purposes, we use the infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services of the web hosting provider.
The processed data includes all data that you enter as part of your use and communication in connection with your visit to our services or that are collected from you (e.g. your IP address). Our legal basis for using a web hosting provider to provide our services results from Art. 6 Para. 1 lit. f GDPR (legitimate interest).
3.5.2 Receiving and sending emails
The web host services we use can also include sending, receiving and storing e-mails. For these purposes, the addresses of the recipients of your e-mails as well as the senders as well as further information regarding the e-mail dispatch (e.g. the providers involved) and the contents of the respective e-mails are processed. The aforementioned data are processed, among other things, for the purpose of recognizing SPAM. E-mails are generally not sent in encrypted form on the Internet. As a rule, e-mails are encrypted on the transport route, but (unless end-to-end encryption is used) not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the e-mails between the sender and the receipt on our server. Our legal basis for using a web hosting provider to receive and send emails results from Art. 6 Para. 1 lit. f GDPR (legitimate interest).
3.5.3 Collection of access data and log files
We ourselves (or our web hosting provider) collect data on every access to the server (server log files). The server log files can include the address and name of the services and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, your operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider belong.
The server log files can be used on the one hand for security purposes, e.g. to avoid overloading the server (especially in the case of abusive attacks, so-called DDoS attacks) and on the other hand to ensure the load on the server and its stability. Our legal basis for using a web hosting provider to collect access data and log files results from Art. 6 Para. 1 lit. f GDPR (legitimate interest).
3.6 Tracking & Tools
In order to guarantee a smooth technical process and an optimal user-friendly use of our services, we use the following services:
3.7 Google Tag Manager
Google Tag Manager is a solution with which we can manage so-called website tags via an interface and thus integrate other services into our services. The Google Tag Manager itself (which implements the tags) does not process any personal data. With regard to the processing of personal data by the integrated services, please see our explanations for the individual Google services below. The Google Tag Manager is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Website: https://marketingplatform.google.com ; Data protection declaration: https://policies.google.com/privacy .
3.8 Google Search Console
For the purpose of continuously optimizing the Google ranking of our services, we use the Google Search Console, a web analysis service from Google.
The Google Search Console enables us to carry out search analyzes, which give us information about how often our services appear in Google search results. This enables us to monitor and manage our services in the search index.
When using the Google Search Console, no personal user or tracking data is processed or transmitted to Google.
3.9 Fan pages on social media websites
We maintain fan pages on the websites of the social networks of the Internet and process personal data in this context in order to communicate with the users active there or to offer information about us. We would like to point out that your data may be processed when you visit our fan pages outside the European Union. The operators of the respective social networks are responsible for this. You can find a detailed description of the respective forms of processing and the possibilities of objection (e.g. opt-out) in the data protection declarations of the operators of the respective social networks.
We operate a so-called Facebook fan page about our company on Facebook. When you visit the Facebook fan page, Facebook can evaluate your usage behavior and provide us with information obtained from this (“Insights”). The page insights are used for the purpose of economic optimization and needs-based design of our services. Processed data categories are possibly master data, possibly contact data, content data, usage data, connection data. The recipient of the data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland, as jointly responsible according to Art. 26 GDPR. The legal basis for processing the data in accordance with the stipulations mentioned here results from our legitimate interest and thus from Art. 6 Para. 1 lit. f GDPR.
Facebook is responsible for implementing your data subject rights. Facebook informs you about your rights as a data subject at https://www.facebook.com/legal/terms/information_about_page_insights_data . You can also assert your rights against us, we will then immediately forward your request to Facebook.
We operate a so-called Instagram fan page about our company on Instagram. When you visit the Instagram fan page, Facebook can evaluate your usage behavior and provide us with information obtained from this (“Insights”). The page insights are used for the purpose of economic optimization and the needs-based design of our website / our services. Processed data categories are possibly master data, possibly contact data, content data, usage data, connection data. The recipient of the data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland, as jointly responsible according to Art. 26 GDPR. The legal basis for processing the data in accordance with the stipulations mentioned here results from our legitimate interest and thus from Art. 6 Para. 1 lit. f GDPR.
Facebook is responsible for implementing your data subject rights. Facebook informs you about your rights as a data subject at https://www.facebook.com/legal/terms/information_about_page_insights_data. You can also assert your rights against us, we will then immediately forward your request to Facebook.
3.10 PlugIns in our services
We use plugins to integrate content such as videos, buttons, social media icons, etc. from social networks and other websites in our services. The integration always works in such a way that the social networks learn and process your IP address via these plug-ins. The IP address is required to display the content of the plug-ins, as it is required so that the social networks whose plug-ins we have integrated can send information to your browser. Some social networks use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic in our services. Further information can also be stored in cookies on your device and, among other things, contain technical information about your browser and your operating system, when you visit our services and other information about the use of our services and can be combined with information from other sources.
Request for material & offers
If you request material (advertising or marketing material) or offers from us, we will process your data for the purpose of sending you the materials you have requested and for creating and sending you the offers you have requested. Processed data categories are master data, contact data, connection data and, if applicable, contract data. If necessary, we will forward your request to our group companies. A transfer to a third country does not take place. The legal basis for the processing measures results from:
- Art. 6 para. 1 lit. f GDPR during processing to ensure the security of our information technology systems
- Art. 6 para. 1 lit. b GDPR when processing to request an offer or to initiate and conclude a contract.
4. Order processing
If we use external service providers to process your data, they will be carefully selected and commissioned by us. If the services that these service providers provide are order processing within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly checked. Our order processing contracts comply with the strict requirements of Art. 28 GDPR and the requirements of the German data protection authorities.
5. Rights of data subjects
If your personal data is processed, you are affected within the meaning of the GDPR and you as a user have the following rights vis-à-vis the person responsible:
5.1 Right to information
You can request confirmation from the person responsible as to whether we are processing personal data relating to you.
If this is the case, you can request the following information from the person responsible:
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
- the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
- the existence of a right to correct or delete your personal data, a right to restrict processing by the person responsible or a right to object to this processing;
- the right to lodge a complaint with a supervisory authority;
- all available information about the origin of the data if the personal data are not collected from the data subject;
- the existence of automated decision-making including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
- You have the right to request information as to whether the personal data relating to you are being transmitted to a third country or to an international organization. In this context, you can request to be informed about the appropriate guarantees in accordance with. Art. 46 GDPR to be informed in connection with the transfer.
5.2 Right to Correction
You have a right to correction and / or completion vis-à-vis the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.
5.3 Right to restriction of processing
Under the following conditions, you can request that the processing of your personal data be restricted:
- if you dispute the correctness of the personal data concerning you for a period of time that enables the person responsible to check the correctness of the personal data;
- the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
- the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
- if you have filed an objection to the processing in accordance with Art. 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
- If the processing of your personal data has been restricted, this data – apart from its storage – may only be used with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest processed by the Union or a Member State.
If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
5.4 right to erasure
5.4.1. You can request the person responsible to delete the personal data relating to you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke your consent on which the processing was based in accordance with. Art. 6 para. 1 lit. a or Art. 9 Para. 2 lit. a GDPR and there is no other legal basis for the processing.
- You lay acc. Art. 21 para. 1 DSGVO objection to the processing and there are no overriding legitimate reasons for the processing, or which you submit in accordance with. Art. 21 para. 2 GDPR objection to the processing.
- The personal data concerning you have been processed unlawfully.
- The deletion of your personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.
- The personal data relating to you were collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.
5.4.2. If the person responsible has made the personal data concerning you public and is acc. Art. 17 para. 1 GDPR to delete it, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the person concerned are about to delete them has requested all links to this personal data or copies or replications of this personal data.
5.4.3. The right to erasure does not exist if processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfill a legal obligation that requires processing under the law of the Union or of the member states to which the person responsible is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the person responsible;
- for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 Ab. 3 GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes acc. Art. 89 para. 1 GDPR, insofar as this is specified in Para. 1 is likely to make the achievement of the objectives of this processing impossible or seriously impair it, or
- to assert, exercise or defend legal claims.
5.5 Right to be informed
If you have asserted the right to correction, deletion or restriction of processing against the person responsible, the person responsible is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this turns out to be impossible or involves a disproportionate effort.
You have the right vis-à-vis the person responsible to be informed about these recipients.
5.6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the person responsible, in a structured, common and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that
the processing is based on consent in accordance with. Art. 6 para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract in accordance with. Art. 6 para. 1 lit. b GDPR is based and
the processing is carried out using automated procedures.
In exercising this right, you also have the right to have your personal data transmitted directly from one person in charge to another person in charge, insofar as this is technically feasible. This must not impair the freedoms and rights of other people.
The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task that is in the public interest or takes place in the exercise of official authority that has been transferred to the person responsible.
5.7 Right to Object
You have the right, for reasons that arise from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 Para. 1 lit. e or f GDPR takes place to object; this also applies to profiling based on these provisions.
The person responsible will no longer process the personal data concerning you unless he can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data relating to you are processed in order to operate direct mail, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.
In connection with the use of information society services – regardless of Directive 2002/58 / EC – you have the option of exercising your right of objection by means of automated processes that use technical specifications.
5.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. Withdrawing your consent does not affect the legality of the processing carried out on the basis of your consent up to the point of withdrawal.
The processing is lawful until your revocation – the revocation therefore only affects the processing after receipt of your revocation. You can informally declare your revocation by post or email. Your personal data will then no longer be processed, subject to another legal basis. If this is not the case, your data must be revoked in accordance with Art. 17 Para. 2 GDPR can be deleted immediately. Your right to withdraw your consent subject to the above conditions is guaranteed.
Your revocation should be sent to:
14473 Potsdam (Germany)
+49 179 4918329
5.9 Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged violation, if you are of the opinion that the processing of your personal data is contrary to the GDPR violates.
The supervisory authority to which the complaint was lodged informs the complainant about the status and the results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.
6. Automated decisions in individual cases including profiling
Automated decisions in individual cases including profiling do not take place.
7. Notification obligations of the person responsible
If your personal data has been disclosed to other recipients (third parties) for legal reasons, we will notify them of any correction, deletion or restriction of the processing of your personal data (Art. 16, Art. 17 Paragraph 1 and Art. 18 GDPR). The notification obligation does not apply if it involves a disproportionate effort or is impossible. We will also inform you about the recipients on request.