Data Privacy Statement (As of June 2018)
I. Preliminary remarks
The Operator takes the protection of your data very seriously and complies with the data protection laws. These laws serve the protection of natural persons with regard to the processing of personal data, which is any information relating to an identified or identifiable natural person. Such data will be processed only to the extent that is required for the performance of any contract or the provisioning and improvement of the Platform. The processing for the performance of the contract is effected only if you initiate or complete a contract with the Operator. In this respect, reference is made to the User Contract. The processing for provisioning and improvement is carried out only if it is provided below or with separate consent, ordered by government authorities or court order or otherwise provided by law. The data is processed by the Operator only in the Member States of the European Union (EU). In particular, the data processing Internet servers of the Operator are located in the Member States of the EU. There is generally no transfer to a third country or an international organization.
II. Data processing
Your data will be processed both independent of and dependent on a form. Form- dependent data represents data entered in a form on the Platform. Form-independent data is data that you also leave behind on the servers of the Operator without entering it in a form. You may also leave behind form-independent data on the servers of the Operator when you use an app or the web page of a customer of the Operator. This data, however, is processed by the Operator only on behalf of its customer responsible for the processing of data. You may find the data privacy notice of this customer on the respective app or website.
1. Form-dependent Processing
The data you enter in a form on the Platform is processed when using the form, in particular after submitting the form. This includes contact details and, if you are a customer of the Operator, your customer account data. Personal data that you provide on a designated form is generally transmitted in encrypted form to the server of the Operator.
a) Contact Form
If you contact the Operator via a form, the data entered in the contact form will be encrypted on the server of the Operator and transmitted to the Operator by email. There is no further automated processing of your personal data in this respect. The personal data transmitted about your person will be used only for processing your request. If the request is in connection with data processing that the Operator carries out on behalf of a customer, the Operator will transmit your request in encrypted form to the respective customer. Responses are generally sent by email, which will also be transmitted in encrypted form insofar as your mail service provider supports this feature. After final processing of the request, your personal data that you entered in the contact form or in a response to the operator will be deleted. This does not apply if the data is still required for the performance of the contract or statutory retention obligations. In this respect, however, the processing of your data is restricted.
b) Customer Account
A customer account will be set up for you as a customer of the Operator. In this respect, the data provided in the User Contract and, if applicable, subsequently entered in forms in the customer account, in particular your contact and campaign data, will be stored on the servers of the Operator. You may view the stored data at any time in the customer account as well as edit and complete it by means of the forms in the settings. You can, of course, also personally contact the Operator for example by using the aforementioned email address. The same applies to the erasure of the customer account. However, your data may be erased only if it is no longer required for the performance of the contract or is not subject to statutory retention obligations. In the meantime, the processing of your data is restricted and, in particular, the customer account will be locked.
The Operator offers you a newsletter subscription via email. In order for you to receive such newsletters, the Operator requires your email address. Furthermore, the Operator requires other data to verify that you, as the owner of the address provided, agree to subscribe to the newsletter. For this purpose the Operator uses a double opt-in (DOI) process. This means that you will receive an email containing an individual link after registration through which you may confirm your registration (confirmation link). You will only receive the newsletter after such a confirmation. In addition to your email address, the time and IP address of the registration and confirmation as well as the confirmation link will be processed for the DOI, its verification and to prevent abuse. Other data is not processed in this respect. The data is only processed in order to provide and distribute the newsletter. Your personal data will not generally be transferred to third parties. However, the Operator may use the services of an email service provider who processes the data on its behalf according to the law and the provisions of this Data Privacy Statement; the service provider is not a third party in this respect. If you want to unsubscribe from the newsletter, you may use the corresponding link in the newsletter (unsubscribe link) or personally contact the Operator by email at the email address given above, for example. Cancelling the newsletter will also mean that you have withdrawn your consent to subscribe to the newsletter and to the data processing required for this purpose. If you unsubscribe from the newsletter or fail to complete the DOI within two weeks, your data will be deleted unless it is required as evidence of a completed DOI or to prevent abuse; however, the processing of data will be restricted in this respect. Registration for the newsletters carried out through an encrypted connection. The newsletter is also distributed in encrypted form, as long as your email service provider supports this function.
2. Form-independent Processing
The data that the operator requires for the provision or improvement of the Platform is processed independent of a form. This may include in particular browser cookies, mobile identifiers and access protocols, the data being generally transferred in encrypted form.
a) Browser Cookies
b) Access Protocols
The use of the platform and the advertising delivery are statistically analysed. For this purpose and in order to prevent abuse of the Platform, the Operator creates an access protocol. The number of accesses to the Platform and the retrieval of stored advertising are stored in the protocol. This includes data that is transmitted when establishing a connection between your browser and the Platform. In other words, this includes your IP address, the time of your access or retrieval, which address (URL) was accessed, whether the access was successful and the size of the data transferred by the Platform. Insofar as your browser transmits the corresponding data, the previous address (referrer) as well as information about the used operating system and browser (e.g. saved version) is also stored. You may prevent the transfer of this data by adjusting the settings of your browser, however. The protocols serve to prevent abuse and are deleted as soon as they are no longer required. By default, the log data is deleted after 24 hours. In addition, transaction logs are maintained elsewhere. These contain the ID from a cookie of the platform and the anonymized IP address which was shortened by the last quarter (octet). The protocols are also statistically analysed for customers that use the Platform for advertising delivery. The analysis shows which advertising was delivered and when and to which web page or which app. This means that the logged data is visible only to a limited extent. In particular, the last octet of the IP address are redacted. Such an analysis therefore does not allow the identification of your person. The protocols are merged with other data only in definite cases of suspected abuse. In such cases the Executive Board and the Data Protection Officer of the Operator, and possibly the affected customer, are consulted. The logs will be deleted as soon as they are no longer necessary to prevent abuse. At the latest, they are deleted three months after the end of the calendar month in which the data was logged.
c) Social Networks
1. XING (XING SE): https://www.xing.com/privacy
2. LinkedIn (LinkedIn Corporation): https://www.linkedin.com/legal/privacy-policy
3. Google+ (Google Inc.): https://www.google.com/intl/de/policies/privacy/
4. Instagram (Instagram LLC): https://help.instagram.com/155833707900388
5. Twitter (Twitter International Company): https://twitter.com/en/privacy
6. Facebook (Facebook Ireland Limited): https://www.facebook.com/privacy/explanation
d) Embedded Content
III. Your Rights
If you are affected by processing of your personal data, you have rights vis-à-vis the party responsible for the data processing in accordance with data protection regulations. You can contact the Operator at any time in order to assert these rights for example by email to the aforementioned address. The same applies in the case of other questions regarding data protection by the Operator. In addition to the Operator, you may also contact the Data Protection Officer of the Operator: Attorney-at-Law Daniel Raimer, LL.M. at the Law Offices of Daniel Raimer in Düsseldorf. The contact details of the Data Protection Officer are available on his website’s Imprint page. If the data processing is carried out on behalf of a customer of the Operator, please do not hesitate to contact this customer at any time; reference is made to the imprint of the respective app and/or website that you use for the customer’s contact information. When initiating contact concerning advertising on the Internet, you should specify the Cookie ID to permit a classification. You will find the cookie ID at http://www.yieldlab.net/privacy/.
When contacting the party in a different context, please also specify the information that may facilitate classification in the respective context (e.g. your customer number if you are a customer).
1. Right of Revocation
You have the right to revoke any consent to data processing at any time. Revoking your consent will not affect the lawfulness of the processing carried out until the revocation of the consent.
2. Right of Objection
For reasons arising from your specific situation, you have the right to object to the processing of personal data relating to you that is necessary to carry out a task in the public interest or to safeguard the legitimate interests of the Operator. The Operator will cease processing the personal data unless the Operator can provide legitimate and compelling reasons for the processing that outweigh your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.
If your data is processed for direct marketing purposes, you have the right to object to the data processing for the purpose of such advertising at any time. If you object to the processing for purposes of direct marketing, your personal data will no longer be processed for these purposes.
You can submit your objection to the processing of cookies for advertising purposes via the following link:
Doing so will create an opt-out cookie. This cookie prevents your browser from storing cookies with an advertising ID or otherwise assigning you to advertising categories. An already existing Operator ID will be deleted. As a result, customers of the Operator may also no longer be able to assign a separate ID or advertising categories to you. The use of the opt-out cookie requires, of course, that the corresponding settings in your browser do not prevent the storage or deletion of cookies, so after deleting an opt-out cookie you would also need to resubmit the objection. Furthermore, the Operator considers it to be an objection to data processing for advertising purposes if you activate the do-not-track option in your browser settings. Your right to contact the Operator or its customers personally will, of course, remain unaffected.
3. Right of Appeal
You have the right to file a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates statutory regulations. The responsible authority at the location of the Operator is the state representative for data privacy and information freedom North-Rhine Westphalia (LDI) in Düsseldorf. The contact details are available on the web page of LDI. Your right to file a complaint with another supervisory authority, in particular in the Member State of your residence, place of work or the location of the alleged violation, will remain unaffected. Furthermore, the right of appeal will not be affected by any other administrative or judicial appeal.
4. Right to be Informed
You have the right to request a confirmation by the Operator concerning whether your personal data is processed; if this is the case, you have the right to be informed about this data and the following information: (a) the processing purposes; (b) the categories of personal data that are processed; (c) the recipients or categories of recipients to whom the data has been disclosed or will be disclosed; (d) the planned duration for which the data is stored, or if this is not possible the criteria for the definition of this term; (e) your rights under the data protection legislation; (f) if the data is not collected from you, all available information about the origin of the data; (g) the existence of an automated decision-making including profiling and meaningful information about it. For the most part, you can already infer the information from this Data Privacy Statement. In addition, you can naturally contact the Operator for example at the aforementioned email address at any time. On request the Operator will provide you with a copy of the personal data that is subject to the processing. However, this applies only if it does not affect the rights and freedoms of other persons. If you submit the request electronically, your information will be provided in a standard electronic format unless you specify otherwise.
5. Right to Rectification
You have the right to request the immediate rectification of inaccurate personal data pertaining to you from the Operator. Taking into account the purposes of processing, you also have the right to demand the completion of incomplete personal data including by means of a supplementary declaration.
6. Right to Erasure
You have the right to request the immediate erasure of inaccurate personal data pertaining to you from the Operator. The Operator will immediately erase such data unless one of the following reasons applies: (a) the data is no longer required for the purposes for which the data was collected or processed in any other way; (b) you revoke your consent on which the processing was based and there is a lack of any legal basis for the processing; (c) you object to the processing and there are no overriding legitimate reasons for the processing or your objection concerns direct marketing; (d) your personal data has been unlawfully processed; (e) the erasure is required to fulfil a legal obligation to which the Operator is subject or (f) the data was collected from an offer of information society services that was directly aimed at a child on the basis of the child’s consent.
The right to erasure will not apply if the processing is required for the following: (a) to exercise the right to freedom of expression and information; (b) in order to fulfil a legal obligation; (c) to perform a task in the public interest or (d) for the establishment, exercise or defence of legal claims. If this is the case, you may request the restriction of processing.
7. Right to Restrict Processing
You have the right to request the restriction (blocking) of processing from the Operator if any of the following conditions apply: (a) you dispute the accuracy of your personal data, namely for a period that allows the Operator to verify the accuracy of this data; (b) the processing is unlawful and you reject the erasure of your data and instead request the restriction of the use of data; (c) the Operator no longer needs the personal data for the purposes of processing but instead for the establishment, exercise or defence of legal claims or (d) you objected to the processing, as long as it is not clear whether the legitimate reasons of the Operator override yours. The consideration of legitimate reasons is not required in the case of objection to the processing for direct marketing purposes.
If the processing was restricted, your personal data – apart from being stored – will be processed only with your consent or for the establishment, exercise or defence of legal claims, to protect the rights of any other person or for reasons of substantial public interest. If you have obtained a restriction of processing, you will be informed by the Operator before the restriction is lifted.
8. Right to Data Portability
You have the right to receive your personal information that you have provided to the Operator in a structured, common and machine-readable format, and you have the right to transmit this data to another responsible person without interference from the Operator provided that the processing is based on your consent or a contract between you and the Operator and the processing is performed by means of automated procedures. In this respect, you have the right to insist that your personal data is directly transmitted from the Operator to another responsible person insofar as this is technically feasible and the rights and freedoms of others are not be affected. Your right to erasure will remain unaffected. This right does not apply to processing that is required for the performance of a task carried out in the public interest.
The Operator will notify all recipients to whom the data has been disclosed of any rectification or erasure of your personal data or a restriction of processing unless this proves impossible or would involve disproportionate effort. The Operator will inform you of such recipients at your request.
If the Operator has made the personal data public and is obliged to erase such data, the Operator will take appropriate measures taking into account the available technology and the implementation costs to inform third parties processing your personal data about your request to erase all links to this data or copies of the data.
IV. Final Remarks
1. Legal Basis
The statutory regulations for data protection can be found in particular in the German Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). As of 25 May 2018, however, the EU General Data Protection Regulation (GDPR) will apply primarily. If you have given explicit consent to the processing of your data, this simultaneously represents the legal basis for data processing for the purposes to which you have consented (Art. 6 (1) (a) GDPR). As far as the processing is necessary for the performance or initiation of a contract, Art. 6 (1) (b) GDPR forms the legal basis. User contracts between you and the Operator entered into or initiated at your request are involved here. In addition, Art. 6 (1) (f) GDPR is the legal basis for the processing of data for safeguarding the legitimate interests of the Operator. This includes the economic interest in the operation of the Platform and, in particular, the delivery of target group-oriented and interest-oriented advertising. There is no automated decision- making including profiling within the meaning of Art. 22 GDPR. In particular, the assignment to advertising features will have no legal effect on you or affect you significantly in a similar way.
2. Protective Measures
The Operator will, taking into account the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risks for your rights and liberties, initiate appropriate technical and organizational measures to ensure that the data processing complies with legal requirements. The measures will take into consideration state-of-the-art technology and, in particular, include the encryption of your data. The equipment and systems on which data is processed are protected against unauthorized access both physically and digitally. In particular, the servers of the Operator are password protected. With regular testing and updating of the software, the Operator will prevent security vulnerabilities that could allow abuse of your data. Only those subordinate persons (employees) of the Operator will receive access to personal data who require it for the fulfilment of their tasks and only to the extent required. The employees of the Operator will be instructed in advance with regard to data processing and obligated to maintain confidentiality. With regular backups, the data is protected against loss and can be restored at any time. The default setting of the systems ensures that only personal data required for the purpose of processing will be processed. In doing so, data protection principles such as data minimisation are implemented. In addition, the Operator ensures the confidentiality, integrity, availability and reliability of the systems with technical and organizational measures. The compliance with data protection legislation is regularly reviewed and measures are updated where necessary.
Data Privacy Statement as Download
Yieldlab adheres to the European principles for self-regulation of the digital advertising industry for usage-based online advertising. Further information about the so-called Online Behavioral Advertising Framework of the European Interactive Digital Advertising Alliance (EDAA) can be found here: http://www.edaa.eu.