Data protection

Data protection

1. Introduction

The 3rd Ecumenical Kirchentag Frankfurt 2021 (hereinafter: "OEKT") will take place largely as a digital event. Accordingly, the main venues are the OEKT website and app.

The programme events are available free of charge, no participation fee is charged. For many programmes, registration with OEKT is not required, but we recommend that all interested parties register with "My OEKT" - via the OEKT website or app.

You can only register for events with a limited number of participants through a user account with "My OEKT". Orders in the OEKT shop also require a "My OEKT" account. In addition, various additional functions, in particular personal notifications, are available via a user account.

Before we present the processing of your personal data in detail, we would like to introduce the structure of this data protection information. The contact details of the data protection officer are followed by general information on the data subject rights and the legal bases of data protection. After the note on the cooperation of the OEKT with its most important partners, we provide introductory information on the topic of cookies. This rather abstract information is followed by more specific information on our data processing procedures.

In doing so, we have formed the following thematic groups: participation in the OEKT, visiting our websites, using our app, marketing communication, our social media profiles, direct communication with us, contributors, service providers, suppliers and authors, staffing and general infrastructure.

The digital offerings via the website and the OEKT app are largely identical. Accordingly, the section on "Using our app" only deals with topics where the app differs from the website.

Unlike the Kirchentag or Katholikentag in the past, many forms of data processing for the implementation of local offerings are not relevant at OEKT 2021, such as the administration of private accommodation. Topics such as admission control or the processing of health information in the context of the pandemic measures only affect the few in-person events of the OEKT, such as the closing service.

2. Contact

The body responsible under data protection law is:

3rd Ecumenical Kirchentag Frankfurt 2021 e.V. (hereinafter: "OEKT e.V. ")

Danziger Platz 12, 60314 Frankfurt am Main

Questions regarding data protection can be sent directly to our data protection officer: datenschutz(at)oekt.de

3. Your rights in general

We would like to summarise here the general rights you have with regard to your personal data processed by us. The OEKT is an ecclesiastical legal entity within the meaning of §3(1) lit. c) of the Church Data Protection Act ("KDG"). Accordingly, the processing of personal data by the OEKT is governed by the provisions of the KDG, which, pursuant to Article 91(1) of the EU General Data Protection Regulation ("GDPR"), takes precedence over the provisions of the GDPR.

For an explanation of the legal terms, we refer to the definitions in §4 KDG. Should anything remain incomprehensible, please do not hesitate to ask us.

  1. You can revoke any consent you have given us to process or pass on your data at any time for the future (§8(6) KDG).
  2. Should the legal basis for processing your data be a legitimate interest according to §6(1) lit. g KDG, you may file an objection to the data processing according to §23 KDG. Insofar as the relevant data processing is direct advertising, you do not have to justify your objection in any way; in all other cases, you would have to provide reasons for your objection that arise from your particular situation.
  3. If we have stored incorrect information about you, you can request that we correct your data (§18 KDG).
  4. You can request information from us about which of your data we process (§17 KDG).
  5. You can request that we delete your data or restrict its processing, provided that your request does not conflict with any higher-ranking retention obligations (§§19 or 20 KDG).
  6. You may request that we provide you with the data you have provided to us yourself in a machine-readable format for disclosure to third parties (§22 KDG).
  7. You are entitled to complain to a supervisory authority for data protection about data protection issues with us, e.g. the competent authority for us:
     
    Katholisches Datenschutzzentrum Frankfurt am Main KdöR.
    https://www.kath-datenschutzzentrum-ffm.de/
    Domplatz 3, Haus am Dom, 60311 Frankfurt am Main
    069 / 800 8718 800
    info@kdata protectionz-ffm.de

4. Data processing at the 3rd OEKT in general

Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis primarily results from the purpose for which the data is processed. The lawfulness within a legal basis is regularly measured according to the specific scope of the data processing and the measures we have taken to protect your data.

Legal bases for data processing are derived from §6(1), and for data requiring special protection, such as religious or health data, from §11(1), in conjunction with §4(2) KDG. These two legal provisions name the preparation or fulfilment of contractual, legal or also social obligations as the most important legal basis for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless the interests of the data subjects prevail in view of the specific circumstances. If one of the aforementioned types of legal basis is relevant, the processing does not require you to give any further consent.

In addition, data processing may be based on your consent (§8 KDG).

For persons under 13 years of age, the use of an electronic service is only permitted with the consent of a parent or guardian; for persons under 16 years of age, the consent of a parent or guardian is required if the use of electronic services is not offered free of charge (§8(8) KDG).

We would like to point out at this point that participation in the digital OEKT cannot be made possible for persons under the age of 13 for data protection reasons. We currently do not have the technology to reliably obtain the double consent of the children and their legal guardians required by §8(8) KDG.

In part, our obligation to ask for your consent does not or not solely result from the KDG but from the stricter law under the EU ePrivacy Directive of 2002 (often called the "Cookie Directive"). The provisions of this directive apply in Germany via the German Telemedia Act (TMG) and the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without explicitly referring to them in the following.

If a data transfer takes place to a state outside the European Economic Area (EEA), we will ensure that data protection is secured under §§39 to 41 KDG.

5. Cooperation with DEKT and ZdK

Behind the OEKT is a cooperation of various institutions. The host churches are the Protestant Church in Hesse and Nassau ("EKHN") and the Diocese of Limburg, together with the Protestant Church of Kurhessen-Waldeck and the Dioceses of Mainz and Fulda. The organisers are the German Protestant Kirchentag ("DEKT"), represented by the Association for the Promotion of the German Protestant Kirchentag ("DEKT e.V."), and the Central Committee of German Catholics ("ZdK").

The data protection responsibility for the OEKT lies solely with OEKT e.V. (see above).

The OEKT receives contact details from DEKT e.V. and ZdK from people who have told these organisations in the past that they would like to be informed about a future Kirchentag or Katholikentag. It is also possible that people have made their declaration to an organisation that has been responsible for organising a Kirchentag, Katholikentag or comparable event in the past and has passed on the request for information to DEKT e.V. or ZdK as the next-level institutions.

Similarly, the request for information on a future Kirchentag or Katholikentag by electronic communication is understood as consent to pass on the contact details and the request for information to DEKT e.V. or ZdK. OEKT e.V. will cease its active work after the conclusion of the 2021 event. DEKT e.V. and ZdK will act as legal successors of OEKT e.V. under data protection law and will ensure the protection of personal data beyond the end of OEKT.

6. General information about cookies

Cookies are text files that are stored by your browser on your device when you visit a website. Different information can be stored in a cookie. Sometimes a cookie only stores a yes or no ("true" or "false"), and sometimes a string of characters is stored that enables the browser to be uniquely identified when the website is called up again (a cookie ID).

The right to set cookies is not only determined by the KDG, but also by the EU ePrivacy Directive and §15 of the German Telemedia Act (TMG). The ePrivacy Directive distinguishes between cookies that are absolutely necessary for the operation of the online offer (essential cookies) and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent - even if this is not required according to the KDG (and e.g. a legitimate interest exists as a legal basis).

Before we store non-essential cookies on your terminal device, we ask for your consent in accordance with the requirements of the ePrivacy Directive.

The purpose of each cookie and the legal basis for its use according to the KDG can be seen from the following description of the individual data processing.

There are various ways for you to prevent the acceptance of cookies on your device:

  1. The standard case should be that you decide via our consent manager which cookies you allow and which you do not, when you call up one of our Internet pages.
  2. In principle, you can set your browser so that it never accepts cookies. By such a complete exclusion, you will most likely lose functions that are based on cookies and that you would actually like to allow or that do not require consent at all.
  3. You can access Internet pages in the private mode of your browser. The private mode also blocks the setting of cookies in your browser memory or automatically deletes all cookies at the end of the session.
  4. Some browsers or browser plug-ins offer you the option of making more differentiated default settings as to which cookies you generally want to accept by default and which you do not.

7. Specific data processing

7.1 Participation in the OEKT

Description: The organisation of such a large event as the OEKT requires a central database through which all participants and their interests can be managed. We store the registration data (login), contact details, booked events and for participants their corresponding commitments, membership of groups, orders via our shop, newsletter consent and for those arriving, depending on the coordination via OEKT, also accommodation or arrival details, if required also information on diet, allergies or special care requirements, e.g. due to disabilities.

Dates of birth are also recorded because the public transport providers require us to do so in order to be able to check the age-appropriate allocation of tickets.

At the start of the OEKT, we took contact details from DEKT e.V. and ZdK of those who had wished to be informed about subsequent events such as the OEKT.

Especially with a digital OEKT, this database is at the heart of data processing. Whether you register for "My OEKT" on our website or in our app, register for a specific individual event, order a newsletter or a product in our webshop - all these processes access the same database we operate.

By using a stand-alone database from our own servers, we are largely independent of external service providers and can ensure a level of data protection worthy of an OEKT.

The participant management application is also used to send participants the OEKT newsletters and notifications of all kinds. This also includes the notifications that are displayed in the OEKT app.

For participants with a "My OEKT" account, personal data can also be synchronised across several devices or between the view in the internet browser and in the OEKT app. This applies, for example, to the reading status of messages sent to participants or personal programme favourites.

When you log in to "My OEKT" on the website, a cookie (fe_typo_user) is set in your browser that saves your status as a logged-in person. This cookie is an “essential” cookie that does not require your consent, as without this cookie the use of the account would not be technically possible.

We also use the services of an external Content Delivery Network (CDN) to ensure stable and fast content delivery via the internet. The CDN is used to provide big files such as films, audio, images or large documents, which do not contain any personal data of the participants. The CDN only learns the IP address of the end device from which OEKT content is accessed.

Data categories: Registration data (name, title, email address, password (hash value)), contact data (phone number, address), event bookings, tasks/assignments as a contributor, orders (goods/services, payment and delivery conditions, invoices), newsletter registrations (email address, double opt-in, timestamp), affiliation to groups, accommodation data, arrival data, dietary requirements, care requirements, date of birth/age, activity history (timestamp for all digital activities such as login or logout).

Data recipients (if applicable, transfer to third countries): The database for participant administration is operated for the OEKT by a German service provider who is bound by a data protection contract. The service provider in turn uses two subcontracted data centres in Germany to provide the database. There is no transfer to third countries.

The service provider for the CDN is a data recipient for the IP addresses who is bound by a data protection order processing agreement and is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA. The service provider was obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: The operation of the participant database serves the organisation and administration of the event, specifically the provision of digital events and access authorisations. The legal basis is the fulfilment of our contractual obligations as organisers towards you as a participant.

Storage period: Your customer data will remain active until your customer relationship with us ends. After that, we store the data depending on the respective retention obligations that affect our business relationship.

Description: You can save events as favourites in the programme. The events are saved only as a bookmark on your device. Only if you are logged in via "My OEKT" will the selected events be synchronised with your user account and, if applicable, with other devices of yours.

Data categories: Selected events related to your "My OEKT" account

Data recipient (if applicable, third-country transfer): See participant management

Purpose + legal basis: Synchronisation of programme favourites. The legal basis is contract performance, as these functions are among the core functions of the user account.

Storage period: Until you remove a favourite again or your user account is deleted.

Description: We make many programme contents available as pre-produced films or live streams via the Vimeo video player, which is integrated into our website or app for this purpose. When you start a film, your IP address is transmitted to Vimeo. We use the Vimeo player with the do-not-track function, so that Vimeo does not set any cookies in your browser.In addition, you can protect yourself against cookies from Vimeo and the tracking partners commissioned by Vimeo if your browser does not accept third-party cookies (default setting for current versions of the Firefox and Safari browsers).

We only receive statistical data from Vimeo on the use of the films we make available via Vimeo, but no personal data.

For further information on the handling of your data, please refer to the Vimeo privacy policy: https://vimeo.com/privacy

Data categories: IP address; date and time of access; films viewed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system.

Data recipient (if applicable, third country transfer): Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: We use the Vimeo player in order to be able to offer you efficient and data protection-friendly video streaming. The legal basis for the data transfer to Vimeo is a legitimate interest.

Storage period: The storage period is the responsibility of Vimeo. It is not possible for us to delete your data as we do not collect any data from you through the use of Vimeo.

Description: We offer a chat to accompany events that are offered as a live video stream via Vimeo. You can use it to comment on the event and actively contribute to it. The chat function is technically provided by Vimeo in the same way as the video stream.

If you activate the chat function, you must accept cookies from Vimeo (VUID) as well as Google and Microsoft according to Vimeo's specifications. These cookies are not the responsibility of the OEKT, but of Vimeo. To ensure that you are aware of these additional cookies, we have set up two requirements: In principle, the chat is only available to you if you are logged in via a "My OEKT" account. And you must agree to Vimeo's cookies in the chat window before it is released for use. You can technically prevent the receipt of cookies from Vimeo and the tracking partners commissioned by Vimeo despite consent in the chat window if your browser does not accept third-party cookies (default setting for current versions of the Firefox and Safari browsers).

The contents of each chat will be deleted immediately at the end of the respective event. The chats are not archived.

You can find further information on the handling of your data in the Vimeo data protection declaration: https://vimeo.com/privacy, supplementary to cookies: https://vimeo.com/cookie_policy

Data categories: (Self-selected) participant name (pseudonyms are permitted), statements and interactions in the chat; IP address; date and time of access; films viewed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; cookie IData protection stored in the cookies.

Data recipient (if applicable, third country transfer): Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: We use the Vimeo chat to offer you the opportunity to actively participate in the events in the live stream. The legal basis for communication in the chat is contract fulfilment, as the provision of the chat is a central service of a digital OEKT. The legal basis for the general log data is legitimate interest. The legal basis for the collection of your usage behaviour via the cookie IData protection is your consent declared to Vimeo in the chat window.

Storage period: The chat content (participant name, comments) is deleted immediately after the end of the live stream. The storage period for the remaining data is the responsibility of Vimeo. It is not possible for us to delete data, as we do not collect any data from you through the use of Vimeo.

Description: We will make many programme contents available as online workshops or video conferences via Cisco's Webex technology. To participate in a Webex conference, you will be provided with an Internet link. In order to participate in a Webex conference, you need to download the Webex software onto your terminal device. The installation process of the Webex software is started automatically by calling up a Webex link.

When you dial into the conference, you will be asked to give yourself a participant name for the conference, e.g. to be able to allocate requests to speak in the chat during the conference to you personally. You can also use fantasy names here. You do not need a separate Webex user account to participate.

The Webex app asks for your consent to access your microphone and camera. You can give any of these permissions; however, you do not have to if, for example, you want to follow a conference without active participation.

Webex offers you supplementary functions in addition to audio and video: an accompanying chat for exchanges in text form, word messages via symbol icons, artificial background image. Conferences can be recorded. If a conference is to be recorded, we inform all participants in advance and only start the recording when all participants have given their consent to the recording. Audio recordings can be transcribed into a text file.

You can also participate in Webex conferences by phone without the Webex app. In addition to the internet link, telephone dial-in details are provided for each event. If you participate by phone, you can hear and speak, but you cannot use any other features of the video conference.

Unless there is an expressly agreed recording, we will not store the conference in any way. After the conference has ended, the contents of an unrecorded conference can no longer be accessed. In this respect, this corresponds to telephone conversations that were not recorded. Chat content and other accompanying communications do not become part of a video/audio recording.

It is technically possible for any participant to make screenshots or recordings of the conference in whole or in part using means outside Webex. Such behaviour without appropriate agreement with all participants constitutes a violation of the personal rights of others by the person acting and, if it is not one of our employees, is outside our responsibility. Secret recordings of the spoken word may constitute a criminal offence under Section 201 of the Criminal Code. We reserve the right to take legal action of any kind against persons who use their participation in a video conference to engage in unlawful or anti-privacy behaviour.

For data processing by the Webex app that does not concern the content of the specific conference, the responsibility does not lie with us but directly with Cisco. This applies, for example, to the download of the app. By downloading the Webex app onto your end device, you establish an independent legal relationship between yourself and Cisco.

The data transfer between your terminal and the Webex server requires Cisco to take note of the IP address through which you are online during the video conference. The servers also collect all types of data that are regularly generated during the use of telemedia services.

Information on data protection at Cisco can be found here: https://www.cisco.com/c/de_de/about/legal/privacy-full.html

Data categories: User name, participation times, video or audio signal, video or audio recording (only with consent), audio transcript (only after recording), actions in the chat, status request to speak; telephone number (in case of participation by telephone); further data categories such as IP address or email address are processed by Webex under its own responsibility.

Data recipient (if applicable, third country transfer): Cisco Systems Inc., 170 West Tasman Dr., San Jose, CA 95134, USA; contact with Cisco is possible via its German subsidiary Cisco Systems GmbH, Parkring 20, 85748 Garching. Cisco is committed to data protection via an order processing agreement. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Use of a video conference. Legal basis is contract fulfilment, as the provision of the online workshop is a central service of a digital OEKT. For recordings, consent is the legal basis. The legal basis for the use of a US service provider is legitimate interest, as Webex offers the highest level of digital accessibility, which is a particularly important value for the OEKT.

Storage period: If there is no recording, all data is deleted when the conference ends. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved. The storage period for the remaining data is the responsibility of Cisco. It is not possible to delete data from us, as we do not collect any data from you through the use of Webex.

Description: We record the concerns of participants and customers of the web shop who have questions about tickets, events, accommodation, products, shipping or other services or topics of the OEKT in a so-called ticket system for optimal support. This ticket system records the relevant contact data and the enquirer's request as well as the solution offered in connection with the contact person on the OEKT side and the time of communication.

In connection with the ticket system, the OEKT offers an online chat for direct and professional exchange in addition to communication by email and telephone call.

Data categories: Name, contact details, description of the service request and the solution offered, contact person at OEKT, time and form of communication (email, chat, telephone call); if online chat is used, IP address from which the chat was used.

Data recipient (if applicable, third country transfer): The service provider for the online ticket system in connection with the online chat of the participation service is committed to data protection via an order processing contract and processes the data within the EEA. A third country transfer does not take place.

For emails and telephone calls, see the processing operations "Email communication" and "Telephone calls" in the section "Direct communication with us".

Purpose + legal basis: Participant support via a ticket system in connection with an online chat. The legal basis is contract fulfilment or contract preparation, as the services are directly geared towards providing the OEKT offerings.

Storage period: The contents of the service requests and responses are stored for up to six months after the OEKT in order to be able to close any unfinished requests and to be able to evaluate the service topics of the OEKT to optimise subsequent major church events. The metadata of the online chat will be stored for three months and then automatically deleted.

Description: If you purchase paid access authorisation or goods from our online shop, you can either pay for them by bank transfer after the invoice has been issued or directly during the ordering process using the instant bank transfer function of Klarna, the financial service provider. The processing of your data for classic bank transfers is described under the topic "Payment transfers".

If you choose immediate transfer, an encrypted connection is established from our online shop to Klarna, via which we communicate a transaction number, a service description and the invoice amount and forward you to Klarna for verification of your bank details.

We do not record or store any data on your bank details with us, but only store the corresponding transaction confirmation from Klarna if the invoice amount for a transaction number generated by us could be credited to us.

With regard to all processes at Klarna, data protection results from your independent contractual relationship with Klarna. In this respect, we only provide the transfer to this independent service provider as a payment option for you.

As a financial service provider, Klarna is subject to European banking supervision. Details on data protection at Klarna can be found at: https://www.klarna.com/sofort/datenschutz/

Data categories: Transaction number, service description (booking text) and invoice amount

Data recipient (if applicable, third country transfer): Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden. A transfer to third countries does not take place. See participant management

Purpose + legal basis: Processing your payment via the immediate transfer service. The legal basis for both Klarna and us is contract fulfilment.

Storage period: For the storage periods at Klarna, we refer to their information. We store the payment confirmation by Klarna as a booking document for ten years.

Description: We send documents for the OEKT as well as ordered goods by post, courier service, forwarding agent or a comparable logistics company. Compliance with data protection by these service providers is regulated in the Postal Act as a supplement to the GDPR and is monitored by the Federal Data Protection Commissioner.

In addition to the postal address, parcel delivery companies now require the recipient's email address in order to be able to independently send notifications about the expected delivery date and an individual tracking code for shipment tracking. The communication established in this way between the logistics company and the consignee facilitates the delivery process for both sides. The logistics companies provide us with the tracking ID so that our service team can answer questions about the shipment status in the event of difficulties with the delivery.

Data categories: Name + address; email address, tracking ID of the logistics company

Data recipient (if applicable, third country transfer): Logistics companies that are subject to postal secrecy. A transfer to third countries only takes place if the item is sent to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy. See participant management

Purpose + legal basis: Delivery of ordered goods. The legal basis for handing over the postal address is contract fulfilment. The handover of the email address follows a legitimate interest, as a communication of tracking IDs for shipment tracking has become the norm.

Storage period: The documentation of the dispatch process must be stored as a business letter for six years in accordance with the requirements of commercial law.

Description: In the "My Ticket" area, people who have registered for "My OEKT" can manage their own tickets as well as the tickets of family members or other persons. A ticket is understood to be both time-bound tickets such as day tickets and bookings for individual events with a limited number of seats.

If a ticket is booked as a family ticket, the bookings of the other family members are automatically added to the overview of the booker. Tickets of other persons can be added to their own overview via their ticket code. This may be necessary if third parties do not have access to their own smartphone for using the digital access controls.

Data categories: Ticket identifier in connection with user ID for a "My OEKT" account.

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Flexibility of access from one device to the tickets of several persons. Legal basis is contract fulfilment, as the data subjects provide the further data independently via the family booking or the provision of the ticket code.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: In the "My group" section, people who have registered a group for "My OEKT" as a group coordinator can access the participation data of all participants they have registered.

In addition, the function "My group" allows you to send text messages to members of your own group or to start a call via the phone number stored in the participant data.

Data categories: Booking data of all members of a group, content of text messages and timestamps.

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Provision of an administration and communication interface. The legal basis is contract fulfilment, as the data subjects have specifically booked participation in the OEKT as a group and independently start using the communication function.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: The "My ticket" area displays public transport tickets that have been booked by participants. The corresponding menu item in the OEKT app can be presented digitally during ticket checks.

The technical service provider of the RMV (Rhein-Main-Verkehrsverbund) requires that the date of birth is stored in the user account in order to be able to carry out age eligibility for youth and senior tickets.

Data categories: Tickets booked, date of birth

Data recipient (if applicable, third country transfer): Rhein-Main-Verkehrsverbund and its technical service provider for the provision of digital tickets; See Participant Management

Purpose + legal basis: Provision of digital tickets. Legal basis is contract fulfilment, as the tickets have been purchased accordingly via OEKT.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: In the area "My vouchers", QR codes are stored with which goodata protection can be collected at certain distribution points. At the distribution point, helpers can scan the QR code and use it to verify authorisation and document the redemption of the voucher.

Data categories: Pick-up authorisations (vouchers), time of redemption

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Provision of digital pick-up vouchers. The legal basis is contract fulfilment, as a corresponding pick-up entitlement has been acquired beforehand.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: In the section "My accommodation" you will find information about the accommodation that was arranged for you through the OEKT. The providers of private accommodation and the helpers in the shared accommodation receive information about the participants staying with them. In addition to the name, this includes contact details, the time of stay and, if applicable, information on allergies, special dietary requirements or care needs.

Data categories: Name, contact details, period of accommodation, allergies, dietary requirements, care needs.

Data recipient (if applicable, third country transfer): Accommodation provider; See participant management

Purpose + legal basis: Organisation of the accommodation service. The legal basis is contract fulfilment, as accommodation is one of the central services of the OEKT.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: The WCC offers a digital guestbook. Participants can upload their own image files to an external service provider and add text to them or add text to images from a pre-selection. After approval by the OEKT, these pictures will be integrated and published in a picture gallery or mosaic within the OEKT website.

The OEKT has access to the images and can load them into its own storage systems and, if necessary, use them for purposes other than the image gallery or mosaic.

The topics of offensive image content and rights of use are not covered by this data protection information.

Data categories: Persons and identifying content on and in image files as well as accompanying texts (guestbook entries); IP address of the device from which the image file is uploaded, time of uploading.

Data recipient (if applicable, third country transfer): The service provider for the administration and hosting of the digital guestbook including picture gallery/mosaic is bound to data protection via an order processing contract and processes the data within the EEA. A third country transfer does not take place.

Purpose + legal basis: Provision of a digital guestbook including image publications. The legal basis for the processing of image files and text entries is the fulfilment of a contract, as the guestbook is a service that the publishers use voluntarily and independently. The legal basis for the processing of metadata (IP address) is a legitimate interest, as the digital service cannot be offered without this data.

Storage period: The digital guestbook including the metadata will be deleted one month after the conclusion of the OEKT event.

Description: The OEKT is basically a public event. Although access to individual events must regularly be restricted with regard to room capacities or, in the case of a digital event, with regard to technical capabilities, only a few events are classified as confidential.

Public relations work is a fundamental part of an OEKT. Therefore, film, image and sound recordings are made at the events, both by the OEKT and by third parties. In particular, a digital OEKT means that every event is recorded and regularly transmitted to the participants at the same time (video stream).

Participants who do not want to be recorded should avoid face-to-face events or stay well in the background. Participants in online events have the option of not activating their camera or microphone and thus avoiding being recorded in sound or image.

Data categories: Film, sound and image recordings

Data recipients (if applicable, transfer to third countries): Our service providers for the streaming of the event or the online workshops as video conferences, who are bound to data protection via order processing agreements, are located in the USA. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Media companies in the context of public relations

Purpose + legal basis: Organisation of the OEKT as a digital meeting and public relations work. The legal basis is a legitimate interest according to the principles of §§ 22, 23 of the German Art Copyright Act (Kunsturhebergesetz), as this is a public event and participants themselves can control how much they put themselves in the spotlight of the events. Regarding the legal basis for the data transfer to the streaming and video conference service providers, see the descriptions of these processing operations

Storage period: Your user data remains active until you, or we, close your user account and delete the associated data.

Description: Some visitors register special care needs, e.g. due to walking, visual, hearing or other disabilities or special dietary requirements. If this information is recorded in our participant database, we will pass it on to the OEKT team at the booked events on site as required, so that the persons concerned can be cared for and placed accordingly. The information will be made available to the OEKT teams on site via the smartphone app for contributors.

In some cases, participants in the ECT call in external support services in order to provide optimum care. In these cases, data is passed on. The support services are regularly health services, which in turn are subject to the criminal law obligation of confidentiality under §203 of the Criminal Code.

Data categories: Reason and extent of special care needs (e.g. walking, visual, hearing or other disabilities, special dietary requirements), name, caregiver, contact details (for early coordination), booked or attended event, preparatory or agreed care measures.

Data recipients (third country transfer if applicable): Auxiliary services supporting the ECT. There is no third country transfer. See Participant management

Purpose + legal basis: Implementation of personal care needs. The legal basis is contract fulfilment, as the organisation of care services is one of the tasks of the OEKT.

Storage period: Internal storage follows the processing "Participant Database", storage with external support services follows their own storage periods.

Description: Depending on the current legal and regulatory requirements for defence against the ongoing pandemic, we may be obliged to collect and report health-related data with regard to a possible infection to the health authorities.

The details of pandemic-related data processing are in a constant state of flux and follow the current guidelines of the Hessian state government, which can be found at https://www.hessen.de/fuer-buerger/corona-hessen/verordnungen-und-allgemeinverfuegungen.

Participants in attendance events must answer a health questionnaire. We store the data in your "My OEKT" account so that you do not have to answer the questions more than once on the same day for several events.

When you book a face-to-face event, we also store your postcode with your booking. Should your home region be declared a risk area, we can use this to identify and cancel your booking, as we may then not be able to grant you access to a face-to-face event, depending on current regulations.

Data categories: Name, date of birth, registration address, current place of residence, contact details (telephone number, email address), origin (in particular from regions that have been classified as pandemic risk areas), symptoms of infection that have occurred, type and result of a pandemic infection test, times (arrival/entry, test date, occurrence of health symptoms, submission of health questionnaire).

Data recipient (if applicable, third country transfer): Health authorities. A third country transfer does not take place. See participant management

Purpose + legal basis: Compliance with pandemic regulations. Legal basis is a public interest in public health according to §11(2) lit. i KDG.

Storage period: Depending on the legal or regulatory requirement for the specific form of data processing.

Description: Some events involve persons who receive special protection from the security authorities. Depending on the conditions of the event, the participation of the protected persons requires a security check of the helpers, participants and contributors who will be in the environment of the protected person.

Data categories: Name, registration address, date of birth, place of birth, function at the event

Data recipient (if applicable, transfer to third countries): Security authorities such as the state or federal criminal investigation office.

Purpose + legal basis: Ensuring security for persons in need of protection. The legal basis is a legitimate interest arising from the requirements of personal protection.

Storage period: Deletion is the responsibility of the security authorities.

7.2 Visiting our internet pages

Description: In order for a web server to make our website available to your browser, the server must collect technical data about the device you are using, your browser and your internet access. This is referred to as a log file or weblog. This is the same data that you necessarily leave behind with every internet page that you call up. At the centre is the IP address from which you call up our pages. The web server sends the data you want to see to this internet address.

Data categories: IP address from which our page was accessed; date and time of access; objects on our website accessed in the browser; type and version of internet browser; type and version of operating system.

Data recipient (if applicable, third country transfer): Our hosting service provider, who is bound to data protection via an order processing agreement, is located in the EEA. In the event of attacks on our pages, data is passed on to forensic experts and investigating authorities commissioned by us. A transfer to third countries does not take place.

Purpose + legal basis: Providing our website as well as investigations should unlawful access to our websites occur (e.g. a hacker attack). The legal basis is a legitimate interest, as the operation of a website is not possible without collecting the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place.

Storage period: 7 days

Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decision you make is stored on your device in the local storage of your browser, so that we do not have to ask for your consent when you visit our website again. We only store the entry "privacy_consent" if you have consented to the essential cookies alone, and additionally the entry "statistic_consent" if you have also consented to the Matomo statistics cookie.

You can revoke your consent to our Matomo statistics cookies at any time. At the end of our data protection information, you will find a note on "Matomo web analysis" with a selection box. If a check mark is placed in the box, you have currently consented to the statistical analysis. By clicking on the box, you can remove the tick to revoke your consent. Matomo then sets two additional cookies (MATOMO_SESSID and piwik_ignore) that block further collection of your browser.

Data categories: Consent status (Yes/No)

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: legally compliant consent management for cookies. Legal basis is a legitimate interest, as saving the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits.

The entries in the local storage of your browser may also be set without your consent according to the ePrivacy Policy, as cookie management is to be considered an essential function.

Storage period: Until the entry in the local storage of your browser and, if applicable, the cookie piwik_ignore, which is automatically deleted after 30 years.

Description: We use the web analytics service Matomo on our website. Matomo creates statistical reports on our behalf about the activities on our website, the regional origin of visitors and technical parameters of the devices used to visit our pages.

We have set Matomo so that IP addresses are only processed in abbreviated form (IP anonymisation) in order to make it much more difficult to directly identify your terminal device. Matomo sets cookies in your browser when you call up our website in order to be able to assign your activities on our website to a user. This enables us to determine the quota of returning visitors or to be able to trace usage paths within our internet pages. The cookie does not tell us who you are. The cookie assigns you to a cookie ID as a pseudonym.

We do not share the data from Matomo with any third parties. In particular, we do not merge the data with data from advertising networks or use it in any other way for marketing purposes.

You can recognise the Analytics cookies from Matomo by the abbreviation pk in the name (Matomo used to be called Piwik).

You can revoke your consent to our Matomo statistics cookies at any time. At the end of our data protection information, you will find a note on "Matomo web analysis" with a selection box. If a tick is placed in the box, you have currently consented to the statistical analysis. By clicking on the box, you can remove the tick to revoke your consent. Matomo then sets two additional cookies (MATOMO_SESSID and piwik_ignore) that block further collection of your browser.

Data categories: IP address via which the device goes online (anonymised immediately after collection); location or country linked to the IP address as well as Internet service provider for Internet access; date and time of access; objects on our website that are called up (clicked on) in the browser; type and version of Internet browser; type and version of operating system; Internet pages that were clicked on before and next; Matomo ID stored in the cookie.

Data recipient (if applicable, third country transfer): The Matomo server is operated for the OEKT by a German service provider who is bound to data protection via an order processing contract. A third country transfer does not take place.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our Internet offering based on the analysis findings.

The legal basis is a legitimate interest, which results from the fact that the personal reference of the collected data is greatly reduced, e.g. by anonymising the IP addresses, that the data is not combined by us with other data collections.

Regardless of the legal basis, we ask your consent for the setting of Matomo cookies via our cookie manager in view of the requirements of the ePrivacy Directive.

Storage period: 12 months for the tracking ID (Justification: This storage period allows us to export annual reports). Should you revoke your consent, the revocation cookie (piwik_ignore) will be stored in your browser for 30 years if you do not delete it beforehand.

Description: On our website we offer the map and navigation service of the OpenStreetMap Foundation (OSMF). When you call up the map material, your IP address is transmitted to OSMF. The rear part of the IP address is immediately anonymised, but via the front section OSMF can recognise in which location you are likely to be.

OSMF does not use your data for any other purpose than providing the map functions. OSMF does not share your data with anyone, especially advertising networks.

Information on the data processed by OSMF can be found at: https://wiki.osmfoundation.org/wiki/Privacy_Policy#Data_we_receive_automatically

Data categories: See https://wiki.osmfoundation.org/wiki/Privacy_Policy#Data_we_receive_automatically

Data recipient (third country transfer if applicable): Openstreetmap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. The data transfer to the third country is covered by the special post-Brexit arrangements currently in place with the United Kingdom.

Purpose + legal basis: The purpose of this usage analysis is to enable us to further improve our Internet offering based on the analysis findings.

The legal basis is a legitimate interest, which results from the fact that the personal reference of the collected data is greatly reduced by anonymising the IP addresses and that the data is not combined with other data collections.

Storage period: See https://wiki.osmfoundation.org/wiki/Privacy_Policy#Data_we_receive_automatically

7.3 Use of our apps

If you want to use our app on your mobile device, you need to download it from an app shop suitable for your device's operating system. For iOS devices this is Apple's AppStore, for Android devices either Google's PlayStore or another platform for Android apps.

All data processing in connection with the download of our app takes place between you and the respective app store. We do not receive any personal data, only a statistical compilation of the number of downloads. For all information about the respective data processing, we refer you to the corresponding data protection information of Apple, Google or the download platform you use.

Even though we are responsible for the operation of the app, the app is offered for download in the app stores by our service provider eGenius as developer on our behalf.

Description: You can access your events and your user profile via our app. The functions in the app are basically the same as those offered on our website for participation in the OEKT, but are optimised for use on mobile devices. In addition, there are some additional functions which we present separately below.

Each time the OEKT app is installed on a smartphone, an individual installation code (installation ID) is assigned to the app. This ID is used to prevent the misuse of multiple OEKT tickets.

Depending on the specifications of the operating system you are using, the app asks for permission to access certain standard functions of the end device. These include the receipt of messages (also called push messages), access to the camera, e.g. to be able to scan QR codes, saved photos for sharing functions or the current location for the proximity search functions. For all these access rights, the OEKT app only processes data to the extent that you allow it according to the mechanisms in the operating system of your end device.

Data categories: See the processing operations "Participation OEKT" and "Use in the App”

Data recipient (if applicable, third country transfer): See the processing operations "Participation OEKT" and "Use in the app".

Purpose + legal basis: See the processing operations "Participation OEKT" and "Use in the app".

Storage period: See the processing operations "Participation OEKT" and "Use in the app".

Description: If you attend a face-to-face event, you can call up your OEKT ticket or your booking for a specific event as a digital ticket in your OEKT app as a QR code. Assistants at the event locations scan the QR code via their devices, which triggers a verification check via the central participant database. If the QR code is stored with a valid access authorisation for the event area and the health questionnaire has been answered beforehand, the volunteer receives a positive response and lets you in.

To avoid multiple uses of digital tickets, the ticket codes are linked to the installation ID of the OEKT app on your smartphone. The OEKT does not receive any further information about you. If you uninstall and reinstall the OEKT app after activating a ticket in your app, this may cause problems. In this case, please contact the OEKT support.

Data categories: Ticket code in conjunction with installation ID, scope of authorisation (event area or event), time of verification check.

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Verification of access authorisations. Legal basis is contract performance.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: At some presentational events, you will be asked to register yourself as present. For this purpose, the OEKT app offers the function "Check-in", which wants to access the camera of your smartphone or tablet in order to record QR codes displayed at the venue. If the OEKT app detects such a QR code in check-in mode, you will be assigned to this event area or event as a person present in the participant database.

You may also be asked to sign out again when leaving the area or event in the sense of a check-out.

Data categories: "My OEKT" user ID, event area or event, time of check-in

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Recording the number of attendees. The legal basis is a legitimate interest, as the organisational management can thus be warned about impending overcrowding of premises with minimal effort.

Storage period: The data will be deleted after the OEKT has been fully completed.

Description: We can send you messages via our app, called push messages. In order for such messages to be delivered to your smartphone, we need to use a corresponding push service. We use the function from Google's Firebase service package for this purpose. We have not activated other Firebase functions such as Google Analytics for Firebase.

We do not receive any personal data from you via the push service, as we send the messages to all OEKT apps that have agreed to receive messages in the respective operating system on your smartphone or tablet. We do not receive any feedback on which end devices this is or is not the case.

Data categories: no personal data

Data recipient (if applicable, third country transfer): Google as the sender of the push messages does not receive any personal data of the receiving devices.

Purpose + legal basis: Provision of push messages

Storage period: No personal data is collected that would have to be deleted.

Description: The function “object” (venue) radar is activated in the OEKT app for the authorised helpers at the event locations. The venue managers use this to report to the organisational management of the OEKT how full individual event areas are. In this respect, no personal data is transmitted, only quantity data.

In addition, a chat function is available for the venue managers to communicate with the organisation management in text form. Messages from the venue managers are displayed to the organisation management with the name of the person.

Data categories: Name, chat content including time stamp

Data recipient (if applicable, third country transfer): See participant management

Purpose + legal basis: Chat communication between the person responsible for the venue and the organisation management. The legal basis is the fulfilment of the contract for the task of the person responsible for the venue.

Storage period: The data will be deleted after the OEKT has been fully completed.

7.4 Marketing communication

Description: You can subscribe to our email newsletter. To do so, you only need to provide an email address. Further details such as your name are voluntary and are used so that we can personalise the sending of the emails with a direct salutation.

If you register online for the newsletter, you will receive a one-time email from us to the email address you have provided, in which we ask you to confirm your registration. This is to prevent you from being registered for our newsletter by someone who does not or should not have access to this address. This two-step procedure is called double opt-in for double consent.

By subscribing to our newsletter, you consent, both under data protection law and competition law, to us sending you emails on the topics described on the subscription page.

If a "My OEKT" user account is created for your email address, your newsletter consent will automatically be linked to your "My OEKT" account.

As a rule, consent includes the forwarding of newsletter contacts to the umbrella organisations DEKT e.V. and ZdK so that you can also be informed about future major church events. DEKT e.V. and ZdK in turn pass on the data to the event organisations of the next Kirchentag or Katholikentag.

You can revoke your registration and thus your consent at any time for the future. This is possible via the corresponding link at the end of each newsletter we send out.

We manage our newsletters via our participant database, which we host on our own servers.

Data categories: Email address, documentation of email verification (double opt-in), time of your registration; name; selection of specific newsletter packages.

Data recipient (if applicable, third country transfer): See participant management

After the conclusion of the OEKT, we hand over contacts who have requested information about future events to DEKT e.V. or ZdK.

Purpose + legal basis: To provide an email newsletter. Information about follow-up events. The legal basis is your consent.

Storage period: After revocation of your consent, your data will be deleted immediately unless it has become part of a "My OEKT" user account in the meantime and separate storage obligations therefore exist.

Description: As a follow-up to various events and other forms of provision, the OEKT asks participants to take part in a satisfaction survey. At various points, participants are asked to register their email address for later participation in the survey. The collection of email addresses is done via an online form provided by the technical infrastructure of Microsoft.

In the survey following the OECT, in addition to satisfaction, expectations are also asked as well as the type of participation (contributing, helping or participating) and sociographical data such as gender or age group.

The surveys are provided to the participants as online questionnaires by a service provider specialising in surveys. The questionnaires are referred to in different ways. Sometimes the surveys are displayed at the end of digital events, sometimes participants receive the link to the survey by email.

By hosting the questionnaire with the service provider, the service provider collects an internet log file that is technically necessary when your browser communicates with the server.

We only receive statistical evaluations of the raw data from our service provider for all checkbox questions; only answers in text form can contain personal information.

Data categories: Content feedback (questionnaire responses), your own role in the event, sociographical classifications; internet log file (IP address, date and time of access, films accessed, type and version of internet browser, type and version of operating system).

Data recipient (if applicable, third country transfer): Our service provider for the survey technology, who is bound to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place.

For collecting the email addresses of those interested in participating Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing contract. Insofar as the EU subsidiary transfers data to the US parent company Microsoft Corp., Microsoft has concluded standard data protection clauses with us and thus guarantees that the data will be handled at EU data protection level.

Purpose + legal basis: Survey of participant satisfaction. The legal basis according to KDG is a legitimate interest, as participation in the survey is voluntary and serves to improve future events. Since competition law classifies satisfaction surveys as a marketing measure and the call for participation is sent by email, consent is required before sending the email according to §7 UWG.

Storage period: The personal raw data of the survey will be deleted after completion of the statistical (anonymised) evaluation.

7.5 Our social media profiles

Description: We operate company profiles (also called fan pages) on Facebook and Instagram. Such a fan page enables us to present our organisation on Facebook or Instagram and to get in touch with you on this social media platform.

Facebook provides us with analytics data about the use of our fan page (called Page Insights). This gives us an impression of how successful the individual communication measures are.

For details of data processing at Facebook, please refer to Facebook's data protection information: https://www.facebook.com/about/privacy

In accordance with a ruling of the European Court of Justice, the use of this analytics data is carried out in a joint responsibility with Facebook pursuant to Article 26 of the GDPR. Facebook has provided a shared responsibility agreement accordingly (https://www.facebook.com/legal/terms/page_controller_addendum). In the agreement, Facebook has assumed sole responsibility for all data processing issues. If you wish to exercise your rights under the GDPR with regard to the data processed in Page Insights, you should contact Facebook directly via your Facebook account. However, in accordance with the legal rules on shared responsibility, you are also free to contact us with your concern. We would then pass your concern on to Facebook.

Data categories: Facebook username; comments, likes and page views within Facebook or Instagram, and time of action.

Data recipient (if applicable, third country transfer): Facebook Inc., addressable for us as a European organisation via Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of the usage behaviour on our fan page or our Instagram profile. The legal basis is the consent you have given as part of your Facebook or Instagram registration.

Storage period: The storage period is the responsibility of Facebook.

Description: We operate a profile on Twitter. Such a Twitter profile enables us to present our organisation on Twitter and to get in touch with you on this social media platform.

Twitter provides us with analysis data via the use of our profile page (Twitter Analytics). This gives us an impression of how successful each of our communication measures is.

For details of data processing at Twitter, please refer to Twitter's data protection information: https://twitter.com/de/privacy

Data categories: Twitter username; comments, likes and page views within Twitter and time of action.

Data recipient (if applicable, third country transfer): Twitter Inc., which we can contact as a European organisation via Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of user behaviour on our Twitter profile. The legal basis is the consent you have given as part of your Twitter registration.

Storage period: The storage period is the responsibility of Twitter.

Description: We operate a video channel on YouTube, a service provided by Google. Such a YouTube channel enables us to present our organisation on YouTube and to get in touch with you on this social media platform.

YouTube provides us with analytics data about the use of our channel. This gives us an impression of how successful each of our communication measures is.

For details of data processing at YouTube, please refer to Google's data protection information: https://policies.google.com/privacy

Data categories: YouTube username; comments, likes and page views within YouTube; and time of action.

Data recipient (if applicable, third country transfer): Google LLC, for us as a European organisation contactable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. Data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Analysis of usage behaviour on our YouTube profile. The legal basis is the consent you have given to Google.

Storage period: The storage period is the responsibility of Google.

7.6 Direct communication with us

Description: When you send us an email, it arrives in at least one of our email inboxes. The content of your email and the metadata accompanying it (sender, time of sending, etc.) are stored on the email servers of our hosting provider. In addition, after retrieval from the server, they may be stored in the email programs on the devices that have access to the mailbox (computers, smartphones, tablets). The same applies to emails that we send to you.

The specific processing of personal data in an email depends on the thematic content of the email. It is obvious that we include your data in our contact directory for customers, business partners and other contacts.

Data categories: Name, email address; time of delivery or dispatch; other metadata that typically arise during email communication; other personal information in the content of the email such as further contact data in email signatures, enquiries, orders, offers or complaints by email.

Data recipient (if applicable, third country transfer): Our service provider for the hosting of the email inboxes, which is bound to data protection via a data processing contract, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The service provider has been obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Communication by email. Depending on the content of the correspondence, the legal basis is preparation or fulfilment of a contract or a legitimate interest in answering your email.

Storage period: Depends on the content of the correspondence; for example, commercial law requires business letters to be stored for six years, but other documentation obligations may also result in longer storage periods.

Description: Our website has a contact form. You can use it to send us messages. Your voluntary entries are sent to us in the form of an email (even if you have not entered an email address as sender).

Once you send your message, the data processing is equivalent to sending an email to our central contact address. While you are on the website and enter your details in the form, the data processing corresponds to calling up any of our websites.

Categories of data: See the processing operations "Provision of a website" and "Email communication".

Data recipients (transfer to third countries, if applicable): See the processing operations "Provision of a website" and "Email communication".

Purpose + legal basis: Provision of a contact form as an additional way to contact us. Depending on the content of your contact, the legal basis is the preparation of a contract fulfilment or a legitimate interest.

Storage period: See the processing operations "Provision of a website" and "Email communication".

Description: When we make a phone call to each other, our cloud-based telephone system, in conjunction with our softphones or our mobile phones, records your number and the time of the call.

If the content of the conversation suggests this, we will create a conversation note and document it in the appropriate place (e.g. in the customer database or for applicants and employees in the personnel area). It is conceivable that we will include your data in our contact directory for further communication.

Audio recordings of conversations only take place in exceptional cases and after we have obtained your express consent to do so.

Data categories: Telephone number; time of the call; content of the call, if applicable.

Data recipients (if applicable, third country transfer): Telecommunications providers covered by telecommunications secrecy and the service provider for our cloud telephone system, which is bound to data protection via a contract processing agreement, are located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The service provider has been obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Communication by telephone call. Depending on the content of the conversation, the legal basis is preparation or fulfilment of a contract or a legitimate interest in exchanging information with you.

Storage period: Depending on the content of the conversation. Individual conversation notes may be subject to the six-year retention requirement for business letters under commercial law.

Description: If we are likely to be in contact with you again in the future, we will store your contact details in our contact directory so that we can recognise you as a known contact when you call or email us, or so that we can continue to contact you. If you hand over your business card to us, we will transfer your data to our contact directory.

Two different databases come into question as a contact directory. The majority of contacts are stored solely in the participant database, which we run on our own servers. Contacts with whom we communicate directly on a regular basis are stored in the contact directory at a cloud service provider, which is also accessed by our email and telephone programmes.

Data categories: Name, contact details (address, telephone, fax, email), your company, your company's field of business, your job title, your area of responsibility, place, time and circumstance of contact as well as, if applicable, special notes on your availability or the business topics addressed.

Data recipient (if applicable, third country transfer): Our service provider for the hosting of the contact directory with connection to the email and telephone app, who is bound to data protection via a data processing contract, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The service provider has been obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Maintaining contacts. Legal basis is a legitimate interest, as you have voluntarily given us your business card.

Storage period: We store your data until you ask us to delete it - unless a business relationship has arisen between us in the meantime, from which independent storage obligations arise for us with regard to your contact data.

Description: If you send us a letter, we regularly reply to it with a letter that we create on the computer and save as a file. We often scan your letter in order to archive it in an online storage (cloud) as part of digital office management. The specific processing of personal data in our correspondence depends on the thematic content of the letters and the resulting retention obligations. It is conceivable that we will include your data in our contact directory for further communication.

Data categories: Name + address; personal details in the content of the letters, such as further contact details in your letterhead, enquiries, orders, offers, complaints or other topics.

Data recipient (if applicable, third country transfer): Postal service provider. A transfer to third countries only takes place if the item is sent to an address outside the European Economic Area. In these cases, data protection is guaranteed by international agreements on postal secrecy.

Our service provider for hosting online storage, which is bound to data protection via a data processing contract, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The service provider has been obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Communication by letter. Legal basis is, depending on the content of the correspondence, preparation or fulfilment of a contract or a legitimate interest in exchanging with you.

Storage period: Depends on the content of the correspondence; analogous to the provision in commercial law for the storage of business letters, regularly six years.

Description: If you take part in a video conference with us to which we have (technically) invited you, the responsibility for the data processing through this communication lies with us. We use Microsoft Teams for video conferences. When we invite you to a conference, we send a Teams URL related to the specific conference with the appointment.

You can join a Teams video conference via the Teams app for mobile devices or desktop/laptop, or via your internet browser.

Participation as a guest is possible, so you do not need your own Microsoft user account. When you dial into the conference, you will be asked to give yourself a participant name for the conference so that, for example, requests to speak in the chat during the conference can be assigned to your person. You can also use fantasy names here.

Teams asks for your permission to access your microphone and camera. You can give any of these permissions, but you do not have to if, for example, you want to follow a conference without active participation.

Teams offers you supplementary functions in addition to audio and video: an accompanying chat for exchanges in text form, requests to speak via symbol icons, profile maintenance (profile picture, additional contact data), artificial background picture. Conferences can be recorded. If a conference is to be recorded, we inform all participants in advance and only start the recording when all participants have given their consent to the recording. Audio recordings can be transcribed by Microsoft into a text file for us.

Unless there is an expressly agreed recording, the conference will not be stored by us in any way. After the conference has ended, the contents of an unrecorded conference can no longer be accessed. In this respect, this corresponds to telephone conversations that were not recorded.

It is technically possible for any participant to make screenshots or a recording of the conference in whole or in part using means outside of teams. Such behaviour without appropriate consultation with all participants constitutes a data protection violation by the acting person and, if it is not one of our employees, is outside our responsibility. Surreptitious recording of the spoken word may constitute a criminal offence under §201 of the Criminal Code. We reserve the right to take legal action of any kind against persons who use their participation in a video conference to engage in conduct that is hostile to data protection.

As far as data processing is concerned that is not directly related to the specific conference, the responsibility does not lie with us but directly with Microsoft. This applies, for example, to the download of the Teams app. By downloading the Teams app onto your end device, you establish an independent legal relationship between yourself and Microsoft. Partial responsibility also lies with you or the organisation that provides you with your personal Teams user account.

The data transfer between your terminal and the Teams server requires Microsoft to take note of the IP address through which you are online during the video conference. The servers also collect all types of data that are regularly generated during the use of telemedia services.

Information on data protection at Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement

Data categories: User name, participation times, video or audio signal, video or audio recording (only with consent), audio transcript (only after recording), actions in the chat, status request to speak, profile data (profile picture, contact data, background picture), telephone number (if participating by telephone); further data categories such as IP address or email address are processed by Microsoft under its own responsibility.

Data recipient (if applicable, third country transfer): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing contract. Insofar as the EU subsidiary transfers data to the US parent Microsoft Corp., Microsoft has concluded standard data protection clauses with us and thus guarantees that the data will be handled at EU data protection level.

Purpose + legal basis: Use of a video conference. Depending on the content of the conversation, the legal basis is preparation or fulfilment of a contract or a legitimate interest in exchanging information with you. For recordings, consent is the legal basis.

Storage period: If there is no recording, all data is deleted when the conference ends. If the conference was recorded, the recording is deleted as soon as the last purpose for which the recording was made has been achieved.

Description: For digital working together - called collaboration - we use Microsoft Teams. Here, channels can be set up for individual groups or projects. In these channels, an exchange can take place in text form, files can be saved and jointly edited with the Microsoft Office apps or commented on and provided with notes. The basic functions of Teams can be extensively expanded via widgets, e.g. by joint task planning and assignment.

For collaboration via Teams, the Teams app for mobile devices or desktop/laptop must be installed on your end device. The responsibility for downloading the Teams app does not lie with us but directly with Microsoft. By downloading the Teams app onto your end device, you establish an independent legal relationship between yourself and Microsoft.

A Microsoft 365 account is not required to use Teams; you may use Teams as a guest who is not registered with Microsoft. If you have a Microsoft 365 account, the responsibility for this lies with you or the organisation that provides you with the account. You can use your 365 account to maintain your profile (profile picture, other contact details).

The transfer of data between your terminal device and the Teams server requires Microsoft to be aware of the IP address through which you access Teams content. The servers also collect all types of data that are regularly generated during the use of telemedia services.

Information on data protection at Microsoft can be found here: https://privacy.microsoft.com/de-de/privacystatement

Data categories: User name, publications in Teams channels, saving and editing files saved in Teams, profile data (profile picture, contact data); further data categories such as IP address or email address are processed by Microsoft under its own responsibility.

Data recipient (if applicable, third country transfer): Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland; Microsoft is committed to data protection via an order processing contract. Insofar as the EU subsidiary transfers data to the US parent Microsoft Corp., Microsoft has concluded standard data protection clauses with us and thus guarantees that the data will be handled at EU data protection level.

Purpose + legal basis: Use of collaboration software for digital collaboration. Depending on the content of the collaboration, the legal basis is the preparation or fulfilment of a contract or a legitimate interest in exchanging information with you.

Storage period: Individual channels in Teams as well as files stored there are deleted as soon as the last purpose for which they were created or stored has been achieved. If your Office 365 account is deleted, the name entries for publications or file metadata in Teams will change to "unknown".

7.7 Contributors, service providers, partners, sponsors

Description: On our website and in the OEKT app we publish the names of the people involved in the programme in the name register. In the name register and at the individual events, we briefly introduce the contributors.

Data categories: Name, title, role and function; partly institution and contact details

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: Orientation aid for personal programme planning. The legal basis is a legitimate interest, as the names are also published as part of the individual event announcement.

Storage period: After the conclusion of the OEKT, the data is deleted.

Description: In publications published by us, we name authors in accordance with the authors' right to be named. The naming also extends to the accompanying marketing and public relations work. Where authors represent an institution relevant to the publication, their affiliation with that institution is also mentioned. For some publications, professional contact details of the authors are also published as a service to the readers.

Data categories: Name, title, role and function; partly institution and contact details

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: To indicate authorship. The legal basis for the name is the fulfilment of the author's contract. For the contact details, the legal basis is a legitimate interest, as only professional contact details of relevant contacts are published here.

Storage period: After delivery of printed publications, subsequent deletion by us is not possible. Storage is otherwise until the request to delete a mention.

Description: The spoken word in video recordings of events can be transcribed into text. The texts can be added to the recordings as subtitles. Among other things, this serves the purpose of accessibility, so that e.g. hearing-impaired people can follow the events. At the same time, what is said can be translated into other languages in text form to facilitate international participation in the OEKT.

For the automation of transcription and translation, the OEKT uses the software of the British start-up veed.io, whose algorithms deliver high quality results. Veed.io also uses the recordings on its own responsibility to train its artificial speech recognition and translation intelligence.

Details on data protection at veed.io: https://www.iubenda.com/privacy-policy/98533440

Data categories: Voice; information about individuals in the spoken word

Data recipient (third country transfer if applicable): VEED Limited, 136 High Holborn, Holborn, London WC1V 6PX, United Kingdom. The data transfer to the third country is covered by the special post-Brexit arrangements currently in place with the United Kingdom.

Purpose + legal basis: Automated provision of transcripts and translations for event recordings. The legal basis is a legitimate interest, since enabling accessibility and the organisation of the OEKT as an international event is one of its fundamental characteristics.

Storage period: Transcript and translations are deleted along with the film to which they have been added as subtitles. The storage of audio data by veed.io for the optimisation of its artificial speech recognition and translation intelligence follows the relevant specifications of Veed Limited.

Description: Persons who offer accommodation to participants are displayed to their assigned visitors as a contact in the "My neighbourhood" area.

Data categories: Name, address, email, telephone number

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: Establishing contact between accommodation providers and visitors. The legal basis is the fulfilment of the contract, as this is the only way to make the accommodation available.

Storage period: After the conclusion of the OEKT, the data is deleted.

Description: Anyone can make a financial contribution to the ECOC with a donation. Donors are entered in a register for financial accounting and to be able to issue donation receipts if required. Sponsors can donate by bank transfer or via the service provider Betterplace.org, from which an iFrame is integrated into the website of the OEKT. The iFrame displays the screen through which donors can enter information about the amount of their donation, who they are and their payment method. One of the payment methods is PayPal. Betterplace.org handles the other payment methods via the payment service provider Stripe.

By using Betterplace.org in conjunction with Google reCaptcha and PayPal in particular, the website with the iFrame sets several cookies from PayPal and Google reCaptcha cookies. The responsibility for the data processing associated with the iFrame and the cookies set via it lies with Betterplace.org. See their data protection information and the section "iframes from betterplace.org on websites of other providers": https://www.betterplace.org/c/regeln/datenschutz

Data categories: Name, contact details, donation amount, payment method (direct debit, credit card, PayPal or bank transfer) and the associated details of the means of payment (bank details, credit card details, email address for PayPal account), donation receipts.

Data recipient (if applicable, third country transfer): gut.org non-profit stock company (operating company of Betterplace.org), Schlesische Straße 26, 10997 Berlin and the financial service providers used by Betterplace.org. If a third country transfer takes place through Betterplace.org or its financial service providers, this is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: donation administration. The legal basis for accepting donations is the fulfilment of the contract with regard to the donation as a benefit as well as the fulfilment of the legal obligations for financial administration. The legal basis for the use of Betterplace.org is a legitimate interest in the use of an efficient donation administration. The legal basis for the cookies set by Betterplace.org is that they are essential for the secure provision of the payment transaction.

Storage period: The donation data is stored for ten years in accordance with the requirements of tax law. For the storage of data at Betterplace.org and its financial service providers, see the information provided by Betterplace.org.

Description: Individuals who belong to a body of the OECT, a church or church-related organisation, a state organisation, a political party or a civil society organisation and who play a social role in the context of their role or function in the PCT are sometimes named in publications of the OECT.

Data categories: Name, title, role and function; partly institution and contact details

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: Public relations work with reference by name to members and functionaries of church and state life and civil society. The legal basis is a legitimate interest arising from the public role of these persons.

Storage duration: depending on the storage time for the respective publication

Description: Representatives of the media who are accredited to OEKT or who are known as multipliers for church and comparable social topics will be included in the OEKT press distribution list.

Data categories: Name, title, role and function, medium, contact details

Data recipient (if applicable, third country transfer): none

Purpose + legal basis: Public relations via direct contact with media representatives. The legal basis is a legitimate interest resulting from their accreditation or journalistic position.

Storage period: After the conclusion of the OEKT, the press distribution lists will be passed on to DEKT e.V. and ZDK as a basis for public relations for a future Kirchentag and Katholikentag.

Description: From our suppliers and service providers who are self-employed or partnerships, or our contacts at such organisations, we process personal data as a customer in order to be able to communicate with you about the processing of the order.

In addition to the content-related communication, your data is typically processed in the separately described processing operations for "communicating with us" (see there).

Data categories: Contact, contract and billing data

Data recipients (if applicable, third country transfer): Tax advisors, auditors, lawyers in their function as professional secrecy holders.

Purpose + legal basis: Proper management. The legal bases are both contract fulfilment and legal obligations and legitimate interests.

Retention period: In accordance with tax law, invoice data must be retained for 10 years; contract data must be retained for different periods depending on the type of contract. For copyrights, such periods extend up to 70 years beyond the death of the author.

7.8 Vacancies

Description: If you apply for a job with us, we will process your application documents until the end of the application process exclusively for the purpose of deciding on your employment. We restrict access to your documents to those persons whom we reasonably involve in the decision on your recruitment. If you are hired, your application documents will become part of your personnel file. If recruitment does not take place, we will either ask for your consent to include you in our pool of candidates or return or destroy your documents as soon as there is no longer any reason to expect an objection to our decision under anti-discrimination law.

Data categories: Name + contact details (email, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, educational certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: Decision-making basis for filling a position. The legal basis is the preparation of the fulfilment of a contract (employment contract) and subsequently a legitimate interest in the defence of objections against negative decisions.

Storage period: 6 months after the end of the original application process

Description: If we are unable to offer you a suitable position at the moment, but would like to consider you again in the selection process for future vacancies, we ask for your consent to keep your application documents beyond the end of the current application process. If we are unable to get back to you for more than two years, we will ask for your consent to keep your documents for a further period, or we will return them to you or delete them.

Data categories: Name + contact details (email, telephone, address), photo, profile URL in professional networks (e.g. Xing); details in the letter of application, in the CV, in certificates and references, educational certificates and professional qualifications, notes on job interviews (by telephone and in person), results from recruitment tests, if applicable.

Data recipient (if applicable, third country transfer): None

Purpose + legal basis: Decision-making basis for future staffing. The legal basis is consent.

Storage period: 2 years since last contact or last consent

7.9 General infrastructure

Description: We provide visitors with access to our Wi-Fi network and thus the Internet. During the required registration at the access point for the Wi-Fi network, the unique identifier of your device and the usage times are recorded.

For all services that you call up while using our network on the Internet, the IP address of our network is logged. Insofar as there are investigations into activities that originated from our IP address, we are partially obliged to make the usage documentation available in the log file of our access points.

Data categories: MAC address of the device, usage times

Data recipients (if applicable, third country transfer): Normally no recipients; in the case of investigations, competent authorities and, under certain circumstances, private holders of a right to information or forensic experts commissioned by us.

Purpose + legal basis: Log files such as this are used to enable and strengthen IT security in our company. The legal basis is a legitimate interest, as we only access the WiFi log file when a security analysis is required. It is only possible for us to assign the WiFi data to specific devices and thus their owners with considerable effort and regularly only with the help of police investigations.

Storage period: Our WiFi log file is deleted regularly, at the latest after the conclusion of the OEKT.

Description: All payments are recorded in the financial accounting. The person of the payer or payee is documented. In the case of legal entities, this sometimes also includes the names and contact details of contact persons for the transaction. In some cases, the reason for payment also provides information about persons or the activity of a person (e.g. salary/fee payments, travel bookings, expense reimbursements).

Data categories: Name, customer or supplier number, bank account or credit card details, reason for payment, travel details (time, destination, accommodation, means of transport, costs), hospitality (date, place/hospitality establishment, persons hosted, reason for hospitality, costs), details of other expenses (purchases, gifts).

Data recipient (if applicable, third country transfer): Our service provider for financial accounting, who is committed to data protection via an order processing agreement, is located in the EEA. A third country transfer does not take place.

Purpose + legal basis: Administration of all payment transactions. Legal basis is contract performance or legal obligation (tax and commercial law).

Storage period: We keep the data in the financial accounting for 10 years.

Description: Payments via a bank or credit card account from us are documented accordingly in the account statements.

Data categories: Name, bank details, payment date, payment amount, reason for payment (booking text)

Data recipient (if applicable, third country transfer): Our account-holding financial institutions, which are legally bound to data protection via banking secrecy and banking supervision. A third country transfer does not take place.

Purpose + legal basis: Cashless payment transactions; legal basis is contract performance.

Storage period: We keep account statements for 10 years.

Description: We use service providers for the administration, maintenance and care of our information technology. These service providers do not deal with the content of the personal data processed by us. However, when maintaining databases and other system units, personal data may be accessed by the service providers. All our service providers have been explicitly committed to confidentiality via corresponding contracts and in accordance with the sensitivity of the data to which they may have access.

Data categories: Any type of data

Data recipients (if applicable, third country transfer): IT service providers who are bound to data protection via an order processing contract or another form of confidentiality obligation. A third country transfer does not take place.

Purpose + legal basis: Use of competent service providers for professional IT administration. Legal basis is a legitimate interest, as the service providers have been committed to data protection via adequate confidentiality obligations.

Storage duration: Independent storage does not take place.

Description: In addition to data collection in individual databases (described above), we store documents on our storage media. This typically includes Office documents (Word, Excel, PowerPoint), PDF files, images, films, layouts, other formats of text, table and presentation files and ultimately any type of file whose use is appropriate in the context of our business processes.

The data protection issues regarding the content of the files depend on the relevant processing purposes in each case. In parallel, the storage of files and the metadata regularly attached to them (primarily the creator signature) results in independent processing. Office documents in particular contain personal metadata when they are worked on jointly (collaboration) and the comment and note functions as well as the change mode are used for this purpose.

Data categories: Any type of data, but here focus on metadata: signature of file creator, signatures of file editors (also in comments + notes); time of creation, editing or storage.

Data recipient (if applicable, third country transfer): Our service provider for the hosting of online storage, which is bound to data protection via a processing contract, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The service provider has been obliged to limit data processing to its EU data centres. Any data transfer outside the EEA that may nevertheless take place is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Storage of files including metadata documented therein. The legal basis is a legitimate interest, as you have worked on the file yourself and have not suppressed the recording of your editor's signature.

Storage duration: Depending on the storage time for the individual file

Description: The deletion or destruction of data also constitutes data processing. We shred paper documents containing personal data requiring protection or dispose of them in the sealed bins of a professional document shredder. The quality level of the shredder used and the level of document destruction agreed with the service provider correspond to the risk or confidentiality classification of the documents to be destroyed.

Storage media (hard drives, e.g. from servers, computers, smartphones, tablets, USB sticks, memory cards) on which personal data worthy of protection was previously stored will, if they are no longer to be used to store this data, be securely erased by our IT administration by multiple, at least triple, complete overwriting or handed over to a professional storage media destroyer. The level of erasure or destruction will be commensurate with the risk or confidentiality rating of the data previously stored on the media.

Data categories: Any type of data

Data recipient (if applicable, third country transfer): Service providers for the professional destruction of paper documents and storage media who are obligated to comply with data protection via order processing contracts. A third country transfer does not take place.

Purpose + legal basis: Risk-compliant destruction or deletion of personal data. The legal basis is the legal obligation to minimise and delete data from data protection law.

Storage duration: Storage beyond deletion/destruction does not take place.

Description: In the event that we get into a legal dispute with you, we will pass on data about you and the circumstances of the dispute to lawyers and, if necessary, to the courts.

Data categories: Name, contact details, details of the subject matter of the dispute

Data recipients (if applicable, transfer to third countries): lawyers, courts, bailiffs. All recipients are obliged to confidentiality as a state institution or as a professional secrecy holder. A transfer to a third country does not take place.

Purpose + legal basis: Legal prosecution. The legal basis is the legitimate interest in seeking legal assistance from lawyers and, if necessary, courts, if required.

Storage period: The named recipients process your data according to their own specifications to the extent necessary to fulfil the respective task. We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. Should a repetition of a comparable dispute with you or other employees be conceivable, we will store at least the documents that are decisive for the proceedings - if necessary in anonymised form - for a correspondingly longer period of time.

Description: If you assert your data protection rights against us, we document the associated communication and processes in our data protection documentation.

Data categories: Name, contact details, data protection request details

Data recipient (if applicable, third country transfer): Our service provider for the hosting of online storage, which is bound to data protection via a processing contract, is located in the EEA. The service provider is part of an international group of companies with headquarters in the USA and further subcontractors in various third countries. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.

Purpose + legal basis: Data protection management. Legal basis is the legal accountability from data protection law.

Storage period: We store the data relating to a legal dispute until the final conclusion of the dispute, including all relevant limitation and objection periods. If it is conceivable that a comparable dispute with you or other employees will be repeated, we will store at least the documents that are decisive for the proceedings - if necessary in anonymised form - for a correspondingly longer period of time.

Last updated: April 2021

Disable MATOMO web analytics

keyboard_arrow_up