Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other data protection provisions, is:

Conference Organizer:

International Section of the ISSA on Prevention in the Construction Industry (ISSA Construction)
Viktoriastraße 21
42115 Wuppertal
Germany

President: Prof. Karl-Heinz Noetel
Secretary General: Dr. Olha Bohdanova

Phone: +49 202 398-1425
Email: ISSA-C@bgbau.de

All payment transactions of the ISSA Construction Section are processed through:

Internationaler Verein für Prävention in der Bauwirtschaft e.V.
Hildegardstraße 29–30
10715 Berlin
Germany

VAT Identification Number pursuant to Section 27a of the German Value Added Tax Act: DE352365514
Register Court: Charlottenburg District Court
Registration Number: VR 39477

General Information on Data Processing

1. Scope of the Processing of Personal Data

As a general rule, we process personal data of our users only insofar as this is necessary to provide a functional website as well as our content and services. The processing of personal data of our users regularly takes place only with the consent of the user. An exception applies in cases where obtaining prior consent is not possible for factual reasons and where the processing of data is permitted by statutory provisions.

2. Legal Basis for the Processing of Personal Data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.

Where personal data is processed for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required for the implementation of pre-contractual measures.

Insofar as processing of personal data is necessary for compliance with a legal obligation to which our organization is subject, Article 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our organization or of a third party and the interests, fundamental rights and freedoms of the data subject do not override such interest, Article 6(1)(f) GDPR serves as the legal basis for processing.

3. Data Deletion and Storage Duration

The personal data of the data subject shall be deleted or blocked as soon as the purpose of storage no longer applies. Storage beyond this point may take place if provided for by European or national legislation in Union regulations, laws or other provisions to which the controller is subject. Data shall also be blocked or deleted when a storage period prescribed by the aforementioned provisions expires, unless further storage of the data is necessary for the conclusion or performance of a contract.

Information on Processing on Behalf of the Controller

This website uses the conference management software Converia, which is provided by Converia GmbH. Converia GmbH hosts the software and provides additional services to the event organizer such as software maintenance and support. In performing these activities, Converia GmbH may come into contact with personal data stored in the software and is therefore to be regarded as a processor.

A data processing agreement pursuant to Article 28 GDPR has been concluded with Converia GmbH (see section “List of Processors” in this document).

Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected:

  • information about the browser type and version used
  • the user’s operating system
  • the user’s Internet service provider
  • the user’s IP address
  • date and time of access

2. Legal Basis for Data Processing

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

Temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s device. For this purpose, the user’s IP address must be stored for the duration of the session.

Storage in log files takes place to ensure the functionality of the website. In addition, the data serves to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR.

4. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session has ended.

In the case of storage in log files, this is the case after no more than ten days. Storage beyond this period is possible. In this case, the users’ IP addresses are deleted or anonymized so that attribution of the accessing client is no longer possible.

5. Right to Object and Removal

The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Consequently, there is no possibility for the user to object.

Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables unique identification of the browser when the website is accessed again.

We classify cookies into the following categories:

Necessary Cookies (Type 1)

These cookies are essential to ensure that websites and their functions operate properly. Without these cookies, services such as participant registration cannot be provided.

Functional Cookies (Type 2)

These cookies enable improved convenience and performance of websites and provide various functions. For example, language settings can be stored in functional cookies.

Performance Cookies (Type 3)

These cookies collect information about how websites are used. Performance cookies help us identify particularly popular areas of our online offering. This allows us to tailor the content of our websites more precisely to your needs and thereby improve our offering. The information collected by these cookies is not personal data. Further information on the collection and evaluation of this information can be found in the section “Analysis of Usage Data”.

Third-Party Cookies (Type 4)

These cookies are set by third parties, for example social networks. They are primarily used to integrate social media content such as social plugins on our website. Information on how we use social plugins can be found in the section “Social Plugins” of the privacy policy.

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR.

3. Purpose of Data Processing

The following cookies are used on our website:

Cookie Name

Purpose

Type

PHPSESSID

Identification of a user session

1

Converia_SID

Identification of a frontend user

1

4. Storage Duration, Right to Object and Removal

Cookies are stored on the user’s device and transmitted by the user to our website. Therefore, as a user you have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, not all website functions may be fully available.

Registration and Use of the Functions of the Conference Management Software

1. Description and Scope of Data Processing

The conference management software offers users the possibility to register by providing personal data. The data is entered into an input form and transmitted to us and stored.

Mandatory information may be required during registration. This information must be provided completely and correctly. If this is not the case, registration will be rejected.

The system provides a function requiring active confirmation of a data protection agreement before personal data is stored in the software.

Registration is generally required for the following activities:

  • registration as a participant in an event
  • submission of a scientific contribution in the system
  • review of scientific contributions
  • activities as a speaker or chair of a session
  • use of the favorites function of the conference planner

The following data is collected and stored as part of the registration process and use of the software functions:

  • access data (username, password)
  • address data
  • email address
  • shopping cart data
  • data from pre-registration
  • billing information
  • information on submitted contributions
  • time- and location-related planning data (conference schedule)
  • information on memberships
  • information on verification documents (e.g. proof of student status)

Payment Processing

To process payments for participant registration for an event, various payment options are offered (e.g. invoice/bank transfer, credit card, PayPal). Sensitive payment information is not stored in the conference management system itself. Instead, specially certified payment service providers are used, which carry out data processing and storage. Users are redirected directly to the websites of the respective providers. Further information on data protection can be found on the websites of the respective service providers.

The following data is collected as part of payment processing:

  • selected payment method
  • invoice amount
  • amounts paid
  • billing data

Additional information on the payment service providers can also be found at the end of this privacy policy under “Data Protection Information”.

2. Legal Basis for Data Processing

Where the user has given consent, the legal basis for processing the data is Article 6(1)(a) GDPR.

If registration serves the performance of a contract to which the user is a party or the implementation of pre-contractual measures, Article 6(1)(b) GDPR additionally serves as the legal basis for processing the data.

3. Purpose of Data Processing

Registration of the user is required for the performance of a contract with the user or for the implementation of pre-contractual measures.

4. Duration of Storage

The data is deleted as soon as it is no longer required for achieving the purpose for which it was collected.

This is the case for data collected during the registration process for the performance of a contract or pre-contractual measures when the data is no longer required for the performance of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or statutory obligations.

Since access data including address data may be used for further events such as follow-up events, this data is generally removed from the system within two years after the last login.

5. Right to Object and Removal

As a user, you have the option at any time to cancel the registration. You can have the data stored about you amended at any time. Please contact the data controller by email or telephone (see information above).

If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as no contractual or statutory obligations prevent deletion.

Rights of the Data Subject

If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

1. Right of Access

You may request confirmation from the controller as to whether personal data concerning you is being processed.

If such processing exists, you may request information from the controller regarding:

  1. the purposes for which the personal data is processed;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipients to whom the personal data concerning you has been or will be disclosed;
  4. the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage duration;
  5. the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information about the origin of the data if the personal data is not collected from the data subject;
  8. the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.

2. Right to Rectification

You have the right to rectification and/or completion vis-à-vis the controller if the personal data concerning you that is processed is inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

 

3. Right to Restriction of Processing

You may request restriction of processing of the personal data concerning you under the following conditions:

  1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  2. if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead;
  3. if the controller no longer needs the personal data for the purposes of processing, but you require the data for the establishment, exercise or defense of legal claims; or
  4. if you have objected to processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

Where processing of the personal data concerning you has been restricted, such data may – apart from storage – only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been imposed pursuant to the above conditions, you shall be informed by the controller before the restriction is lifted.

4. Right to Erasure

a) Obligation to Erase

You may request the controller to erase the personal data concerning you without undue delay, and the controller is obliged to erase this data without undue delay, where one of the following grounds applies:

  1. the personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  2. you withdraw your consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal ground for the processing;
  3. you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
  4. the personal data concerning you has been processed unlawfully;
  5. the erasure of the personal data concerning you is required for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject;
  6. the personal data concerning you has been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR.

b) Information to Third Parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers that process the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

c) Exceptions

The right to erasure does not apply insofar as processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) as well as Article 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, insofar as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defense of legal claims.

5. Right to Notification

If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller about these recipients.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that:

  1. the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR; and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other persons shall not be adversely affected by this.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

Where the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

You have the option, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8. Right to Withdraw the Data Protection Consent Declaration

You have the right to withdraw your data protection consent declaration at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.

List of Processors

Converia GmbH
Kaufstr. 2–4
99423 Weimar
Germany

Type of processing:
Hosting and operation of the Converia conference management software
Maintenance and support

Data Protection Information

For the processing of payments, we use the payment service provider secupay AG, Goethestraße 6, 01896 Pulsnitz, Germany. Secupay AG is a payment institution authorized by the German Federal Financial Supervisory Authority (BaFin).

Secupay acts under its own responsibility under data protection law (§ 1(1) sentence 2 no. 6 ZAG in conjunction with Article 6(1)(b), (c) and (f) GDPR) and processes your personal data exclusively for the execution and processing of the respective payment transaction.

In particular, the following data is processed during the payment process:

  • payment information (e.g. IBAN, credit card number, verification code, payment amount)
  • transaction data (e.g. time, reference number, purpose of payment)
  • where applicable, contact data (e.g. name, address, email address)

Data processing is carried out for the purpose of secure and reliable payment processing and to comply with statutory obligations relating to fraud prevention, anti-money laundering and record-keeping requirements.

Legal bases for processing:

  • Article 6(1)(b) GDPR (performance of a contract)
  • Article 6(1)(c) GDPR (legal obligation)
  • Article 6(1)(f) GDPR (legitimate interest in secure payment processing)

Data is transmitted exclusively to recipients required for payment processing, in particular banks, credit institutions and, where applicable, commissioned IT service providers.

Data is stored only for as long as necessary for the processing purpose. Secupay deletes or anonymizes your data in accordance with statutory requirements once the processing purpose ceases to apply.