Privacy notice

Last updated on

This privacy notice applies to the website tfedder.de. That includes the use of this website itself, as well as communication via mail, email or phone using the contact details provided on this website. This privacy notice explains the circumstances of all processing of personal data relating to this website, including your rights.
If the processing of personal data that relates to this website changes, this privacy notice will be updated. It is therefore recommended, that you revisit this page regularly to be fully informed about the processing of your personal data.
Responsible for the processing of personal data here is:

Tobias Fedder
Barenbleek 20
22179 Hamburg
Germany

Contact me at legal@tfedder.de, if you have requests, questions or concerns regarding the processing of personal data through this website.

In short

This website is operated from within Germany, therefore the European Union's (EU) General Data Protection Regulation (GDPR) applies. Due to the GDPR you have a number of rights (listed below), regardless of your place of residence or citizenship. Depending on your place of residence you may have additional rights.

The following gives a short overview of the processing of personal data in regards to using this website, for more details please see below. For the processing of publicly available personal data for the purposes of referencing or citing activities or work of yours please see below.

I do not process sensitive data, meaning data that the GDPR considers to be special categories of personal data, unless you actively provide it to me.

I do not knowingly process personal data of minors.

I do not sell your personal data.

I only share your personal data with the following entities. Two service providers, data processors according to the GDPR, which process your data, in accordance with the GDPR, only in ways that are necessary to provide services to me, that I need for the operation of this website. One data processor, netcup GmbH, is running the server hardware for this website, the other, Strato AG, provides email services to me (for details see below).
Furthermore I might share your personal data with legal advisers if that is necessary to establish, exercise or defend legal claims.

I will provide your personal data to law enforcement in case of compulsory requests, for example a warrant.

The following personal data is processed:

While using this website your user‐agent, usually a web browser, will request resources from my web server to show and run the web page on your device. To send the response that contains the resource for each of your user‐agent's requests, the web server processes the IP address that is given in each request.

Additionally, each request generates an entry in the access log on my server. Each entry contains the following personal data:

I store this data in the access log for up to 24 hours, before I automatically anonymize the entries by removing all IP addresses. The anonymized access logs enable me to roughly estimate the number of visitors and the performance of this website.

Your IP address is an identifier through which others, for example your Internet Service Provider, might be able to identify you. I do not have the capabilities nor the intent to identify you through your IP address.

In case you contact me, depending on the method of communication, your postal address, your email address, or your phone number will be processed, as well as the time and date of the correspondence, and all further personal data you provide to me. That data will be processed to resolve your concern. When your concern is resolved, the personal data of the correspondence will either be deleted or it will be pseudonymized or encrypted, so that the data can not be read unless your contact details are provided again. This allows me to demonstrate compliance with my privacy policy and the privacy laws that apply to this website. Within two years after your concern has been resolved the data will be deleted. The pseudonymization, encryption or deletion of personal data may be deferred as long as I consider the data necessary to establish, exercise or defend legal claims.

Rights

Due to the fact that this website is operated from within Germany the EU's GDPR applies. Therefore you, regardless of your place of residence, have the following rights regarding your personal data processed in the context of this website.

You have the right to

For questions, requests or objections please use the contact details provided on this website, for example legal@tfedder.de.

Depending on your place of residence you may have additional rights due to other legislation. If you want to exercise a right not mentioned in this privacy notice, please use the contact details provided on this website.

If you believe I am missing an obligatory notice regarding any legislation that you think applies to this website, please get in contact with me.

Lodge a complaint

If you believe that I process personal data in violation of the GDPR you may lodge a complaint.
If you reside in the European Economic Area (EEA) you may lodge a complaint with the supervisory authority responsible for your place of residence.
If you do not reside in the EEA you preferably lodge a complaint with the supervisory authority responsible for my place of residence, the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit https://datenschutz-hamburg.de/ (de).

If you reside in Australia and you believe that I process your personal information in violation of the Australian Privacy Principles you may lodge a complaint with the Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us.

If you reside in Brazil and you believe that I process your personal data in violation of the Lei Geral de Proteção de Dados Pessoais (LGPD) you may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) https://www.gov.br/anpd/pt-br.

If you reside in India and you believe that I process your personal data in violation of The Digital Personal Data Protection Act (DPDP Act) you may lodge a complaint with The Data Protection Board of India.

If you reside in New Zealand and you believe that I process your personal information in violation of New Zealand's Privacy Principles you may lodge a complaint with the Privacy Commissioner https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/.

If you reside in Nigeria and you believe that I process your personal data in violation of the Nigeria Data Protection Act (NDPA) you may lodge a complaint with the Nigeria Data Protection Commission https://ndpc.gov.ng/.

If you reside in South Africa and you believe that I process your personal information in violation of The Protection of Personal Information Act (POPIA) you may lodge a complaint with the Information Regulator https://inforegulator.org.za/complaints/.

If you reside in Switzerland and you believe that I process your personal data in violation of the new Federal Act on Data Protection (nFADP) you may lodge a complaint with the Federal Data Protection and Information Commissioner https://www.edoeb.admin.ch/edoeb/en/home.html.

If you reside in the United Kingdom and you believe that I process your personal data in violation of the UK General Data Protection Regulation (UK GDPR) you may lodge a complaint with the UK data protection authority https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/.

Processing of users' personal data in detail

Server response

While using this website your user‐agent, usually a web browser, will request resources from my web server to show and run the web page on your device. To send the response that contains the resource for each of your user‐agent's requests, the web server processes the IP address that is given in each request. The lawful basis of this processing is your implicit consent by your use of a user‐agent that is sending the requests to my server.

Access log

For every request send to my server, it will create an entry in a so called access log. Each entry contains the following personal data:

I store this personal data in the access log for up to 24 hours. Then the IP address, which is the only identifier in an access log entry, will be replaced automatically by a random number, thereby anonymizing the entries, while preserving the information which requests originated from the same source.
The legal basis for this processing is my legitimate interest, because the anonymized access log enables me to roughly estimate the number of visitors and the performance of this website. It also gives me insights into which pages or other ressources are used together, and whether visitors encounter errors when browsing my website.

Legitimate interest assessment (LIA)

I concluded that this processing is lawful on the basis of the following LIA.

The processing of an IP address when using the web is unavoidable, the logging of it is common practice on the web to analyze security threats or count visitors among other purposes. The IP address is transmitted regardless, it allows to reach the goal of counting visitors without gathering additional data. The processing of personal data for the purpose of counting visitors, if done in other ways then this, is either more intrusive or highly unreliable. Being counted as a visitor is expected when visiting a usual website, that is not concerned with sensitive topics. This website does not cover sensitive topics, its content is innocuous. The data will be anonymized, within 24 hours. The data won't be provided to any third party. It will remain on the server processing the requests until anonymization happened. Only in exceptional cases the data could be momentarily displayed on other devices, through and controlled by the data controller, when accessing the server for the purpose of troubleshooting the processing. Therefore there is no impact on you during the intended processing of your personal data. In the unlikely event of unauthorized access to the current access log before anonymization, the unauthorized entity could only conclude at which time which page had been accessed by you, if that entity is already capable of identifying you through your IP address. Due to the innocuous content of this website, the impact on you in this unlikely scenario would be very low.
I therefore concluded that this processing is necessary to achieve my goal. The risk to you is extremely low. Therefore it is a legitimate interest of mine.

Right to objection

Since the processing is based on my legitimate interest you have the right to object to it. You then have to demonstrate that your particular situation is not covered adequately by my LIA and that, due to the situation of yours, your interests outweigh my legitimate interest.

Your IP address is an identifier that can change. An IP address and the time of use enable some third parties, for example your Internet Service Provider, to identify you. I do not have the capabilities nor the intent to identify you through your IP address. In case of an objection you therefore need to substantiate that the IP address, at the time of the processing, has been assigned to you.

Contacting me

In case you want to exercise your rights regarding the processing of your personal data, you have questions regarding this website, or you have a tip on how to improve this privacy notice, please contact me via the contact details provided on this website.
If you do, depending on the method of communication, your postal address, your email address, or your phone number will be processed, as well as the time and date of the correspondence, and all further personal data you provide to me during our correspondence. That data will be processed to resolve your concern. When your concern involves you exercising your rights the personal data of the correspondence will be pseudonymized and encrypted, so that the data can not be read unless your contact details are provided again. The processing of your personal data in pseudonymized or encrypted form is necessary, so that I can demonstrate compliance with my privacy policy and the privacy laws that apply to this website. Within two years after your concern has been resolved the pseudonymized and encrypted data will be deleted. The pseudonymization or deletion of personal data may be deferred as long as I consider the data necessary to establish, exercise or defend legal claims. If your concern doesn't involve actions that need to be recorded, then I will delete your personal data immediately after resolving your concern. Depending on the state of our correspondence the processing takes place on either the lawful basis of consent, given implicitly by contacting me with your concern, or the lawful basis of the necessity for compliance with my legal obligations, or the lawful basis of my legitimate interest to process your personal data for the establishment, exercise or defence of legal claims.

Publicly available personal data

I might use personal data of yours that is publicly available elsewhere when refering to work or actions of yours on this website, for example in a blog post. I will do so for the purposes of providing context or critique, and citing of sources. I concluded that it is my legitimate interest to process your personal data for these purposes, because such data is already publicly available elsewhere, therefore I don't put you at any risk by processing it. You have the right to object to the processing. Then you need to demonstrate that your interests, due to your particular situation, outweigh my stated interests.

Data processors

As the data controller for tfedder.de I decided to make use of two service providers who in providing services to me might process your personal data.

Server hardware run by netcup GmbH

Instead of purchasing and maintaining the server hardware and an internet connection to the servers all by myself, I decided that it is in the interest of my visitors and myself, to have the hardware managed by a service provider. That service provider is netcup GmbH, located in Germany. For all processing of personal data through the web server the service provider is cosidered a data processor according to the GDPR. Since the data processor is located in Germany the GDPR applies to full extend. In compliance with the GDPR, a Data Processing Agreement (DPA) ensures, that the processing of your personal data through the data processor is strictly limited to the processing necessary to provide the server hardware and make the server accessible via the internet.

Email server run by Strato AG

Instead of operating and maintaining an email server by myself, I decided that it is in the interest of my users and myself, to have the email server managed by a service provider. That service provider is Strato AG, located in Germany. All communication via email from or to an email address with the domain tfedder.de, which possibly contains personal data, is processed by this service provider, therefore considered a data processor according to the GDPR. Since the data processor is located in Germany the GDPR applies to full extend. In compliance with the GDPR, a DPA ensures, that the processing of your personal data through the data processor is strictly limitied to the processing necessary to provide the email server functionality.

Legal advisers

I might share your personal data with legal advisers, if and only if, that is necessary to establish, exercise or defend legal claims.