Data protection declaration under the GDPR

I. Name and address of the party responsible (hereinafter referred to as "the controller")

In keeping with the general data protection regulation and other national data protection laws of the member states and any other data protection regulations, the controller is the:

International Centre for Water Resources and Global Change
UNESCO Cat 2 Centre
Federal Institute of Hydrology
P.O. Box 200253
56002 Koblenz
Germany

Tel.: +49 (0)261 1306 5435
E-Mail: icwrgc@bafg.de
Website: cat2.globalwaterportal.org

II. Contact data of the data protection officer

The data protection officer of the controller is:

Michael Hils
Data protection officer
Federal Institute of Hydrology
P.O. Box 200253
56002 Koblenz
Germany

Tel.: +49 (0)261 1306 5295
E-Mail: datenschutz@bafg.de

III. General information on data processing

1. Extent of personal data processing

As a matter of principle, we only process personal data of our users to the extent necessary to provide a functional website, including our content and services. Processing of our users’ personal data is invariably subject to the prior consent of the user. An exception applies in cases where obtaining a prior consent is impossible for reasons of fact, while legal provisions allow processing of such data.

2. Legal basis for processing of personal data

Providing that we obtain the consent of the person concerned for personal data processing, Art. 6 (1) lit. a) EU General Data Processing Regulation (GDPR) shall constitute the legal basis.

When processing personal data required to perform a contract to which the data subject is party, Art. 6 ( 1) lit. b) GDPR shall serve as the legal basis. This shall also apply to processing operations required to implement pre-contractual measures.

Where processing of personal data is necessary to comply with a legal obligation the Federal Institute of Hydrology is subject to, Art. 6 (1) lit. c) GDPR constitutes the legal basis.

In cases where vital interests of the person concerned or any other natural person require processing of personal data, Art. 6 (1) lit. d) GDPR shall constitute the legal basis.

If processing is required to safeguard a legitimate interest of the Federal Institute of Hydrology or a third party, and the interests, fundamental rights and freedoms of the person concerned do not outweigh the first-mentioned interest, Art. 6 (1) lit. f) GDPR shall constitute the legal basis for processing.

3. Data deletion and storage time

Personal data of the person concerned are deleted or blocked as soon as the purpose of storage ceases to exist. Beyond that, data storage may take place if this has been stipulated by the European or national legislator within the scope of regulations, statutes or other provisions under EU law, to which the controller is subject. Data blocking or deletion shall also take place when a storage period specified by the stated standards expires, unless it is necessary to continue data storage for contract conclusion or contract performance.

IV. Provision of website and creation of logfiles

1. Description and scope of data processing

Every time our website is accessed, our system automatically captures data and information from the calling computer’s system.

In the process, the following data is collected:

  1. Information on the browser type and the version used
  2. The user’s operating system
  3. The user’s internet service provider
  4. The user’s IP address
  5. Date and time of access
  6. Websites, via which the user’s system accesses our website
  7. Websites, called by the user’s system via our website

The data is also stored in the logfiles of our system. This does not concern the IP addresses of the user or other data allowing the allocation of data to a user. Any storage of such data combined with other personal data of the user does not take place.

2. Legal basis for data processing

Legal basis for the temporary storage of data Art. 6 (1) lit. f) GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary to allow delivery of the website to the user’s computer. Therefore, the user’s IP address has to be stored for the duration of the session.

Our legitimate interest in data processing according to Art. 6 (1) lit. f) GDPR is also rooted in these purposes.

4. Period of storage

The data will be deleted as soon as they are no longer required to achieve the purpose of their collection. In the event of data acquisition for the provision of this website, this is the case when the session is terminated.

5. Objection and disposal option

Data acquisition for website provision and data storage in logfiles is imperative in order to operate the website. Hence, there is no option to object for the user.

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files stored in the user’s computer system in the internet browser or by the internet browser. When a user calls a website, a cookie can be stored on the user’s operating system. This cookie contains a distinctive string, allowing clear identification of the browser when reopening the website.

We use cookies to make our website more user friendly. Some elements of our website require identification of the calling browser even after a page change.

In the process, the following data is stored and transmitted in the cookies:
Language settings

2. Legal basis for data processing

The legal basis for processing personal data using cookies is Art. 6(1) lit. f) GDPR.

3. Purpose of data processing

The purpose of using technically required cookies is to simplify using websites for the users. Some functions of our website cannot be offered without using cookies. Therefore, it is necessary that the browser is recognized even after a page change.

To operate the website, we require cookies to transfer language settings.

User data collected by technically required cookies will not be used to create user profiles.

Our legitimate interest in data processing according to Art. 6 ( 1) lit. f) GDPR is also rooted in these purposes.

4. Period of storage, objection and disposal option

Cookies are stored on the user’s computer and transferred from the latter to our site. Therefore, the user has full control of the use of cookies. By changing the settings in your internet browser, you may deactivate or limit cookie transmission. Cookies that have already been stored, can be deleted anytime. This can be automated. If cookies are deactivated for our website, it may not be possible to use all functions of the website.

VI. Newsletter

1. Description and scope of data processing

Our website offers the option of subscribing to a free newsletter. When registering for the newsletter, data from the input mask is transmitted to us. This concerns the e-mail address.

Furthermore, the following data is collected when registering:

  1. IP-address of the calling computer
  2. Date and time of registration

To process the data, we will seek your consent within the scope of the registration process with reference to this privacy policy.

In the context of data processing for the dispatch of newsletters, no data are disclosed to any third parties. The data is exclusively used to dispatch the newsletter.

2. Legal basis for data processing

The legal basis for data processing after the user’s registration for the newsletter is Art. 6 (1) lit. a DSGVO, if the user’s consent has been obtained.

3. Purpose of data processing

The user’s e-mail address is collected to deliver the newsletter.

4. Duration of storage

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. The user’s e-mail address is thus stored as long as the subscription of the newsletter is active.

Any other personal data collected within the scope of the registration process will be deleted within a term of seven days.

5. Contesting and deletion option

The subscription to the newsletter may be cancelled by the user anytime. Each newsletter contains a relevant link for cancellation.

This also allows a revocation of the consent to the storage of the personal data collected during the registration process.

VII. E-Mail contact

1. Description and scope of data processing

Making contact is possible via the e-mail address provided. In this case, the user’s personal data is stored that is transmitted via the e-mail.

In this context, no data will be disclosed to any third parties. The data is exclusively used to process the conversation.

2. Legal basis for data processing

If the user’s consent has been obtained, Art. 6 (1) lit. A) GDPR shall constitute the legal basis for data processing.

Art. 6 (1) lit. F) GDPR shall constitute the legal basis for processing data transferred during the dispatch of an e-mail. If the e-mail contact aims at concluding a contract, Art. 6 ( 1) lit. b) GDPR shall constitute an additional legal basis for processing.

3. Purpose of data processing

When making contact via e-mail, a legitimate interest in processing the data also exists.

4. Period of storage

The data will be deleted as soon as they are no longer required to achieve the purpose of their collection. As regards the personal data from the input screen of the contact form and those data transmitted by e-mail, this is the case when the relevant conversation with the user has been terminated. The conversation is terminated when the circumstances imply that the issue concerned has been conclusively resolved.

5. Objection and disposal option

The user is entitled to revoke his consent to the processing of personal data anytime. In the event of the user contacting us via e-mail, he may object to the storage of his personal data anytime. In such a case, the conversation cannot be pursued.

Filing an objection can be implemented both by e-mail or by phone. In this case, any personal data stored in the course of establishing contact will be deleted.

VIII. Rights of the person concerned

If personal data relating to you are processed, you are a person affected within the meaning of GDPR and you have the following rights towards the controller:

1. Right to information

You may demand from the controller a confirmation of the fact whether we process personal data relating to you.

If such processing takes place, you may request information from the controller on the following issues:

  1. the purposes for processing personal data;
  2. the categories of personal data processed;
  3. the recipients resp. the categories of recipients to whom the personal data relating to you have been disclosed or will be disclosed;
  4. the planned term of storage of the personal data relating to you or, if stating precise figures is unfeasible, criteria to determine the term of storage;
  5. the existence of a right to correction or deletion of the personal data relating to you, a right to limitation of processing by the controller or a right of objection to the processing;
  6. the existence of a right to appeal to a regulatory authority;
  7. all information available on the origin of the data, if the personal data is not collected from the person concerned;
  8. the existence of an automised decision-making process including profiling according to Art. 22 (1) and 4 GDPR and – at least in these cases – meaningful information on the logic involved as well as the scope and implications pursued of such processing for the person concerned.

You are entitled to request information on the fact whether the personal data relating to you are transmitted to a third country or to an international organisation. In this context, you may demand to be informed on the appropriate guarantees according to Art. 46 GDPR relating to the transmission.

This right to information may be limited insofar, as it may prospectively prevent or seriously impede the implementation of research or statistical purposes, and where the limitation is required to satisfy these research or statistical purposes.

2. Right to correction

You have a right to correction and/or completion of the data towards the controller as far as the personal data processed relating to you are incorrect or incomplete. The controller must implement the correction without delay.

Your right to correction may be limited insofar, as it may prospectively prevent or seriously impede the implementation of research or statistical purposes, and where the limitation is required to satisfy these research or statistical purposes.

3. Right to limitation of processing

You may demand limitation of processing of the personal data relating to you subject to the following conditions:

  1. if you contest the correctness of the personal data relating to you for a period allowing the controller to verify the correctness of the personal data;
  2. if processing is unlawful and you refuse the deletion of the personal data and demand limitation of use of the personal data instead;
  3. if the controller no longer needs the personal data for processing purposes but you require them for the establishment, exercise or defence of legal claims, or
  4. if you have appealed against processing according to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.

If processing of the personal data relating to you has been limited, this data may – excepting its storage – only be processed with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the EU or a member state.

If processing has been limited pursuant to the above conditions, you will be informed by the controller before the limitation will be removed.

Your right to correction may be limited insofar, as it may prospectively prevent or seriously impede the implementation of research or statistical purposes, and where the limitation is required to satisfy these research or statistical purposes.

4. Right to deletion

a) Obligation to delete data

You may require the controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:

  1. the personal data relating to you are no longer required for the purposes they have been collected for or otherwise processed for
  2. you revoke your consent, on which processing pursuant to Art. 6 ( 1) lit. A) or Art. 9 ( 2) lit. A) GDPR was based, and there is no other legal basis for processing
  3. you object to processing pursuant to Art. 21( 1) GDPR and there are no primary legitimate reasons for processing, or you object to processing pursuant to Art. 21 (2) GDPR.
  4. the personal data relating to you have been unlawfully processed.
  5. deletion of the personal data relating to you is required for compliance with a legal obligation under EU law or the law of the member states, the controller is subject to.
  6. the personal data relating to you have been collected relating to services provided by the information society pursuant to Art. 8 ( 1) GDPR.

b) Provision of information to third parties

If the personal data relating to you have been made publicly available by the controller and if he is obliged to their deletion under Art. 17 ( 1) GDPR, he shall take adequate measures, including those of a technical nature, in consideration of the technology available and the implementation cost, to inform data processing controllers handling personal data of the fact that you, as person concerned, have demanded from them the deletion of all links to these personal data or of copies or of replications of these personal data.

c) Exceptions

The right to deletion does not exist, if processing is required

  1. to exercise the right to freedom of expression and information;
  2. to comply with a legal obligation requiring processing under EU law, or the law of the member states, the controller is subject to, or to perform a task, which is in the public interest, or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h) and i) as well as Art. 9 (3) GDPR;
  4. for archiving, scientific or historic research or statistical purposes in the public interest pursuant to Art. 89 (1) GDPR, insofar as the right mentioned in section a) will presumably prevent implementing the objectives of this processing or seriously impede the latter, or
  5. to assert, exercise or defend legal claims.

5. Right to information

If you have asserted the right to correction, deletion or limitation of processing against the controller, the latter is obliged to inform all recipients to whom the personal data relating to you have been disclosed, of this correction or deletion of data or limitation of processing, unless this proves impossible or involves a disproportionate effort.

You may enforce the right to be informed of these recipients against the controller.

6. Right to data portability

You are entitled to obtain the personal data relating to you, that you have supplied to the controller, in a structured, common and machine-readable format. You are furthermore entitled to transfer these data to another controller without interference from the controller, who has been provided with the personal data, if

  1. processing is based on a consent pursuant to Art. 6 ( 1) lit. a) GDPR or Art. 9 ( 2) lit. a) GDPR or on a contract pursuant to Art. 6 ( 1) lit. b) GDPR and
  2. processing takes place by means of automated procedures.

In exercising this right, you are also entitled to effect that the personal data relating to you are directly transferred from one controller to another controller if this is technically feasible. Freedoms and rights of other persons must not be impeded hereby.

The right to data portability does not apply to processing of personal data required for the performance of a task in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection

For reasons relating to your particular situation, you are entitled to object to the processing of the personal data relating to you, implemented on the basis of Art. 6 (1) lit. e) or f) GDPR; this also applies to profiling based on these provisions.

The controller ceases to process the personal data relating to you, unless he can provide compelling and legitimate reasons for processing that outweigh your interests, rights and freedoms or if processing is required for the assertion, exercise or defence of legal claims.

If the personal data relating to you are processed to engage in direct advertising, you are entitled to object to the processing of the personal data relating to you for such advertising purposes anytime; this also applies to profiling, insofar as it is related to such direct advertising.

If you object to processing for direct advertising purposes, the personal data relating to you are no longer used for these purposes.

The personal data relating to you have been collected relating to services provided by the information society pursuant to Art. 8 (1) GDPR.

In connection with the use of services provided by the information society, notwithstanding Directive 2002/58/EG, you may exercise your right of objection by means of automated processes using technical specifications.

For reasons relating to your particular situation, you are also entitled to object to the processing of personal data relating to you for scientific or historic research purposes or statistical purposes pursuant to Art. 89 (1) GDPR

Your right to correction may be limited insofar, as it may prospectively prevent or seriously impede the implementation of research or statistical purposes, and where the limitation is required to satisfy these research or statistical purposes.

8. Right to revoke consent to the data protection declaration

You are entitled to revoke your consent to the data protection regulation anytime. Revoking the consent does not affect the lawfulness of processing based on the consent prior to the revocation.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged, shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The Federal Commission for Data Protection and Freedom of Information (BfDI) is the supervisory authority for the Federal Institute of Hydrology.