1. GENERAL REMARKS AND PRINCIPLES OF DATA PROCESSING

We are pleased that you are visiting our website. The protection of your privacy and your personal information, the so-called personal data, whilst using our website is an important matter to us.

According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person; This includes, for example, information such as your first name and surname, your address, your telephone number, your email address, but also your IP address.

Data that does not provide any reference to your person, such as anonymized data, does not qualify as personal data. According to Art. 4 No. 2 GDPR, processing of personal data (e.g., data collection, recording, organization, storage, sorting, retrieval, use, transmission, erasure or destruction) always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose underlying the processing has been fulfilled and there is no longer a legal obligation to archive the data.

You can find information about how your personal data is treated when visiting our website here. We must collect personal data about you to provide the functions and services available on our website.

We also explain to you the nature and scope of the respective data processing, the purpose underlying it and the corresponding legal basis as well as the respective storage period.

This privacy policy only applies to this website. It does not apply to other websites of third parties to which we merely refer via a hyperlink. We cannot assume any liability for the confidential treatment of your personal data on the websites operated by such third parties as we do not have any influence on whether these operators comply with the requirements of data protection laws. Please find the information on the way your personal data is treated by these operators directly on these websites.

We provide separate data protection information for project tenders and job applications, which can be found on our website under the contacts link.

See below for the contact data of the applicable controllers and data protection officers.

2. CONTROLLERS

The controller who bears responsibility for processing personal data on this website is (see the imprint):

SPRIND GmbH
, Lagerhofstr. 4, 04103 Leipzig Management: Ms. Berit Dannenberg and Mr. Rafael Laguna de la Vera Email: INFO@SPRIND.ORG

3. DATA PROTECTION OFFICER

The data protection officer of SPRIND is available to answer any questions on data protection at our business address: SPRIND GmbH, Lagerhofstr. 4, 04103 Leipzig, Email: DATENSCHUTZ@SPRIND.ORG

4. COLLECTION OF GENERAL DATA AND INFORMATION

a) NATURE AND SCOPE OF DATA PROCESSING

In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Art. 6 para. 1 p. 1 lit. f GPDR):

• the type of browser used and its version;
• the operating system used by the system accessing the website;
• the site from which the system accessing our website originated its request (referrer sites);
• the pages of our website that the system accessing our website accesses;
• the date and time of day our website is accessed;
• the internet protocol address (IP address);
• the internet provider of the system accessing our website;
• other similar data and information that serves to defend against cyberattacks to our IT systems.

b) PURPOSE AND LEGAL BASIS

In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

• Art. 6 (1) p. 1 lit. a GPDR ("consent"): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous confirmatory act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
• Art. 6 (1) p. 1 lit. b GPDR: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request;
• Art. 6 (1) p. 1 lit. c GPDR: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a legal obligation to keep records);
• Art. 6 para. 1 p. 1 lit. d GPDR: If the processing is necessary to protect vital interests of the data subject or another natural person;
• Art. 6 (1) p. 1 lit. e GPDR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Art. 6 (1) p. 1 lit. f GPDR ("Legitimate Interests"): If the processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject prevail (in particular if the data subject is a minor).

Furthermore, the storage of information in the terminal equipment of you as an end user, as well as access to information already stored in your terminal equipment, will only take place after you have given your consent pursuant to Section 25 (1) TDDDG, unless such consent is dispensable pursuant to Section 25 (2) TDDDG. For the processing operations carried out by us, we indicate the applicable legal basis in each case below. Processing may also be based on several legal bases.

c) DURATION AND STORAGE

Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data will only be stored on our servers in Germany, subject to any forwarding that may take place in accordance with the regulations in No. 7.

However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is provided for by legal regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

5. DATA TRANSFER TO THIRD PARTIES

As with any larger company, we also use external domestic and foreign service providers (e.g. for IT, logistics, telecommunications, sales and marketing) to handle our business transactions. These service providers only act on our instructions and are contractually obligated to comply with the data protection provisions pursuant to Art. 28 GPDR.

6. DATA TRANSFER TO A THIRD COUNTRY

In the event that we process your data in a third country (i.e., a country outside of the European Union (EU) or the European Economic Area (EEA)) or this occurs within the framework of using the services of a service provider or when disclosing or transferring your data to third parties, such processing will only be performed to fulfill our (pre-)contractual duties, on the basis of your consent, due to a legal obligation or in the pursuit of our legitimate interests. Subject to applicable legal or contractual permissions, we only process data or have it processed in a third country if the criteria of Art. 44 et seq. GDPR are met. Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. With regard to the individual services, we will inform you at the appropriate point see No. 6 about the requirements for data transfer to third countries. Please contact our data protection officer (see No. 3)) if you would like to receive more detailed information on this.

7. COOKIES

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by a characteristic string of characters and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you.

Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

• Technical cookies: these are mandatory in order to navigate the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;
• Performance cookies: these collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you - all information collected is anonymous and is only used to improve our website and find out what interests our users;
• Advertising cookies, targeting cookies: these are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
• Sharing cookies: these are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your explicit and active consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we will only share your personal data processed through cookies with third parties if you have given your explicit consent to do so pursuant to Art. 6 (1) p. 1 lit. a DSGVO. In the following, we name the legal bases in connection with the respective service.

Other services are also used on our websites that do not use cookies, but through other technologies, such as Javascript codes, web beacons, tags, other identifiers supported by AI-based technology that read data from or store data in visitors' terminal devices.

8. SERVICES IN DETAIL

a) WEBSITE ANALYSIS WITH MATOMO

We use "Matomo", an open source web analytics software of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, on our website to analyze visits to our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. We operate our own Matamo system because we wanted to refrain from using the customary external analysis by Google Analytics. Using Matamo, we analyze where visitors come from, which content is relevant to them, and where there may be any problems on our website. We do not conduct any specific monitoring of users as identifiable persons. All data, including the IP address is automatically anonymized before being stored.

We use a version of Matomo that does not require cookies. Thus, no Matomo cookies are stored on your computer for the purpose of web analysis. For the analysis of website usage, your IP address and information such as timestamp, web pages visited and your language settings are collected. We store the information collected in this way on our server.

Due to the purpose described above, the legal basis for the processing of your personal data is provided by Art. 6 (1) lit. f) GDPR.

For more information on Matomo's terms of use and data protection regulations, please visit: https://matomo.org/privacy/.

b) NEWSLETTER VIA CLEVERREACH

With your consent, you can subscribe to our newsletter, which will keep you up to date with the latest information from SPRIND.

We use the so-called double-opt-in procedure to subscribe to our newsletter. This means that after your registration, we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you wish to receive the newsletter. If your registration is not confirmed, your personal data will be blocked and automatically deleted after one week. In addition, we store your IP address and the time of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

Your e-mail address is the only mandatory information for sending the newsletter. The provision of further, separately marked personal data is voluntary and is used to address you personally. After your confirmation, we will save your e-mail address and, if necessary, other voluntary details for the purpose of sending the newsletter and optimizing the newsletter service. The legal basis is Art. 6 para. 1 p.sentence 1 lit. a GDPR as well as with regard to the storage of information in the terminal equipment by you as the end user and / or access to information already stored in your terminal equipment, Section 25 (1) TTDSG.

You can revoke your consent to the sending subscription of the newsletter at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in each newsletter e-mail, by sending an e-mail to info@sprind.org or by sending a message to the contact details given in the imprint. Your personal data will be deleted within one week after receipt of the newsletter, provided that the deletion does not conflict with any legal storage obligations.

We would like to point out that the sending distribution of our e-mail newsletters is carried out via the technical service provider CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany ("CleverReach"), to whom we pass on the data provided by the user during the newsletter registration. A corresponding agreement for commissioned data processing exists has been concluded. The data entered by users for the purpose of subscribing to the newsletter (e.g. email address) is stored on CleverReach's servers in Germany or Ireland. CleverReach uses this information to send and statistically evaluate the newsletter on our behalf. For evaluation purposes, the sent newsletters contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. This way it can be determined whether a newsletter message was opened and which links were clicked if necessary. Technical information is also collected (e.g. time of access, IP address, browser type and operating system).

We use the data thus obtained to create a user profile in order to tailor the newsletter to the interests of the newsletter subscribers in the future. In doing so, we record whether and when you read our newsletters and which links you click on in these newsletters. This data is used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to the interests of the recipients.

Such tracking is not possible if you have deactivated the display of images by default in your e-mail program. In this case, the newsletter will not be displayed completely and you may not be able to use all functions. If you display the images manually, the tracking mentioned above will take place.

c) USAGE OF VIMEO PLUG-INS

For the integration and display of video content, our website uses plugins from Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York City, New York 10011, USA.

When you visit one of our sites equipped with a Vimeo plugin, a connection to the Vimeo servers is established. This allows Vimeo to know which of our pages you have visitedand what actions you perform on our website. This includes, among other things, the session duration, bounce rate and which button you clicked on our website with built-in Vimeo function. Vimeo also learns your IP address, technical information about your browser type, your operating system and basic device information, even if you are not logged into the video portal or do not have an account there.

If you have a Vimeo account and are logged in, you enable Vimeo to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Vimeo account. The information collected by Vimeo is transmitted to the Vimeo server in the USA.

The legal basis for the processing is your explicit consent pursuant to Art. 6 (1) lit. a DSGVO and for as well as the storage of information in the end device from you as an end user and / or access to information already stored in your end device, § 25 (1) TTDSG. You can revoke these consents at any time in the cookie settings.

Vimeo is committed to complying with the EEA General Data Protection Regulation (GDPR) and refers to the use of standard contractual clauses in its privacy policy.

A data transfer to the USA after the discontinuation of the EU-US Privacy Shield is to be based on standard contractual clauses issued by the EU Commission and further guarantees. Although the transfer of personal data takes place on the basis of standard contractual clauses, this does not rule out the possibility that the US security authorities, which are equipped with comprehensive powers, may access your personal data at any time and without any reason. This applies even if the servers are located in Europe. As a U.S. company, Vimeo may also be required to transfer personal data of EU citizens to the U.S. security authorities that is located on servers in the EU or the EEA. There are no effective legal remedies available to you against this. For more information on the purpose and scope of data collection and its processing by Vimeo, please refer to its privacy policy. There you will also find further information about your rights and setting options for protecting your privacy.

You can find Vimeo's privacy policy at https://vimeo.com/privacy.

You can learn more about Vimeo's use of cookies at https://vimeo.com/cookie_policy?tid=331652428462.

d) PROCESSING OF PERSONAL DATA IN THE COURSE OF USAGE OF SOCIAL NETWORKS

As part of its public relations work, SPRIND maintains online profiles within the following social networks:

• X of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA with a branch office at One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland

• LinkedIn of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Irland)

• Instagram c/o Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland),

• YouTube, LLC 901 Cherry Ave. San Bruno, CA 94066 USA,

in order to inform the users active there about SPRIND and to enter into an exchange with them. The references are indicated on our website by a link to our profile on the corresponding social networks. No social plug-ins are used.

We would like to point out that the conditions of use of the services mentioned and linked on our homepage and their operators are not subject to the control of SPRIND and that you use them on your own responsibility. These services and their operators store and process personal data of their users (including IP address, the application used, details of the end device, including the device ID and application ID, information on websites accessed, your location and your mobile phone provider). The data collected about you when using the services will be processed by X Corp. and LinkedIn in accordance with their own guidelines and may be transferred to countries outside the European Union. This data is assigned to the data of your respective account or profile, if you have set one up. SPRIND has no influence on the data collection and its further usage by the social networks. For example, there is no knowledge of the extent to which, where and for how long the data is stored, to what extent the networks comply with existing deletion obligations, what evaluations and links are made with the data and to whom the data is passed on. Please refer to the respective privacy policy of X and LinkedIn to find out which rights and setting options you have to protect your privacy:

https://x.com/en/privacyhttps://www.linkedin.com/legal/privacy-policyhttps://help.instagram.com/581066165581870/?helpref=hc_fnavhttps://policies.google.com/privacy?

X and LinkedIn share your personal data with their processors and third-party service providers that are located outside the European Economic Area ("EEA"), where they set their own cookies, such as Google LLC. These process the personal data obtained in this way for their own purposes, e.g. analysis and marketing as well as your usage behavior on external and their own websites. Profiling is also not excluded.

The personal data collected from you and those of third-party providers are transmitted to servers managed by Twitter or LinkedIn, which are mostly located in the USA. Following the discontinuation of the EU-US Privacy Shield, a transfer of data to the USA can at best be based on standard contractual clauses issued by the EU Commission and further guarantees. Although the transfer of personal data is based on standard contractual clauses, this does not rule out the possibility that the U.S. security authorities, which are equipped with comprehensive powers, can access your personal data at any time and without any reason. This applies even if the servers are located in Europe. You have no effective legal remedies against this.

You can limit the processing of your data in the general settings of your X account as well as in the section "Privacy and security". In addition, you can restrict X access to contact and calendar data, photos, location data etc. on mobile devices (smartphones, tablet computers) in the settings there. However, this is dependent on the operating system used. For more information on these matters, please visit the following X support pages:

https://help.x.com/en/safety-and-security/x-privacy-settings

9. YOUR RIGHTS

You have the right at all times

• to revoke any consent you may have given pursuant to Art. 7 (3) GDPR. As a consequence, any processing of your data based on your consent may no longer be continued, to obtain information about your personal data in accordance with Art. 15 GDPR. In particular, you have the right to obtain information about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority, where the personal data are not collected from the data subject, any available information as to their source, the existence of automated decision-making, including profiling and details thereon;
• to rectify or complete inaccurate personal data stored by the controller in accordance with Art. 16 GDPR without undue delay;
• to obtain from the controller the erasure of personal data in accordance with Art. 17 GDPR, provided that the processing of your personal data is not required for the exercise of the freedom of expression and information, to meet a legal obligation, reasons of public interest or to establish, exercise or defend against legal claims;
• to obtain from the controller a restriction of the processing of personal data pursuant to Art. 18 GDPR, provided you contest the accuracy of your personal data, the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead and the controller no longer needs the personal data but you require the data to establish, exercise or defend against legal claims or you object to processing pursuant to Article 21(1);
• pursuant to Art. 20 GPDR to receive the personal data which you provided in a structured, commonly used and machine-readable format and to transmit those data to another controller;
• object to the processing pursuant to Art. 21 GPDR, provided that the processing is based on Art. 6 (1) p. 1 lit. e or lit. f GPDR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the factual situation and either discontinue or adapt the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing; To exercise your right to object, simply send an e-mail to DATENSCHUTZ@SPRIND.ORG.
• in accordance with Art. 7 (3) GPDR, to revoke your consent given once (also before the GPDR came into force, i.e. before 25.5.2018) - i.e. your voluntary will, made understandable in an informed manner and unambiguously by means of a declaration or other unambiguous confirming act, that you agree to the processing of the personal data in question for one or more specific purposes - at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing, which was based on this consent, for the future and
• to lodge a complaint with a supervisory authority pursuant to Art. 77 GPDR. Generally, you can contact the supervisory authority of your habitual residence or workplace or to the jurisdiction in which we have our registered office.