Data Protection Statement

According to the General Data Protection Regulations of the European Union

I. Name and address of the person responsible

Responsible in terms of the European General Data Protection Regulation (GDPR) and other national data privacy statements of the EU member states as well as other privacy regulations – for the website «empire2.info» is:

Tomaž Kramberger
Heßstraße 96
80767 München
Germany

II. Introductory notes
1. Terminology and abbreviations used in following statement:

Speaking of the «controller» or respectively of «we» designates the author of the website empire2.info, the responsible person mentioned above.
«Data subject» or respectively «you» denotes the user or visitor of the website. To be exact: a natural person whose personal data is processed by a controller.
«GDPR»: General Data Protection Regulation
«EU», respectively «Union»: European Union

2. Source of the GDPR our privacy statement refers to

Link to the official website of the GDPR of the EU in all languages of its member states

3. Compliancy

In following statement we believe to have achieved utmost exactness and comprehensibility and tried to our best knowledge and belief.

III. General information about the handling of data
1. Range of processing personal data

In general we only process personal data of data subjects as far as we require it to allocate a functioning website, its content and services. Processing of personal data takes place only in compliance with the data subject. Exception takes place in those cases where prior consent in fact is not possible to obtain and processing of data is, due to statutory provision, permitted.

2. Legal basis for processing personal data

As far as the controller obtains assent for processing personal data, point (a) of Article 6(1) GDPR provides the legal basis.
Point (b) of Article 6(1) GDPR provides the legal basis for processing personal data necessary for the performance of a contract to which the data subject is party. This also includes processing needed to perform conditions prior to entering into a contract.
As far as processing personal data concerns fulfilling of a lawful obligation that the controller is subject, point (c) of Article 6(1) GDPR provides the legal basis.
In case that information of vital interest for the data subject or of another natural persons require processing personal data, point (d) of Article 6(1) GDPR serves as the legal basis.
Is processing necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, point (f) of Article 6(1) GDPR applies as legal basis.

3. Data deletion and duration of data storage

Personal data of the data subject will be deleted or locked as soon as the means of storing doesn’t apply anymore. Above all storing data can occur, as far as the controller is subject to regulations stated by EU or national legislators within legal regulations of the EU. Suspension or deletion of data can also occur, if due to the mentioned standards the required data retention period expires. Unless it’s required to store the data further to for a conclusion or fulfilment of a contract.

IV. Allocation of the website and creation of logfiles
Specification and extent of data processing

Anytime our website is visited our system does not create any server logfiles.

V. Web analysis with Matomo (formerly Piwik)
1. Description and extent of processing personal data

On our website we make use of the open-source software tool Matomo to analyse the browsing behaviour our website users. The software saves cookies onto the user’s computer.

What are cookies? Cookies are text files that are saved by the user’s browser onto the computer system. Does a user browse to a webpage a cookie can be placed onto the user’s operating system. The cookie contains a distinctive string of characters to identify the browser when the website is visited anew.

Every time a webpage is visited following data will be saved:

  1. two bytes of the IP-address of the system of the data-subject. Which means that the IP-address is anonymous,
  2. the visited website and following pages,
  3. the website of which the user arrived onto our website (referrer),
  4. the duration of the visit of a website,
  5. the frequency of visiting our website,
  6. the device type the user used (ie. desktop computer, smartphone),
  7. the device model and brand of the user's device,
  8. the screen resolition of the user's device,
  9. the operating system of the user's device,
  10. the brand of the user's browser and version,
  11. the country from where the visit originated from,
  12. language of the user’s browser,
  13. search engines that referred to our website.

The analytics software runs solely on the server where our website is hosted. Storage of personal data of the data subject exclusively occurs there. No data is passed to third parties.
Furthermore the software does not store the full IP-address, but is shortened by two bytes (ie. 192.168.xxx.xxx). Consequently, correlation of the any IP-address of the computer used for visiting our website is not possible.

2. Legal basis for processing of personal data

As far as we obtain assent for processing personal data, point (f) of Article 6(1) GDPR provides the legal basis.

3. Purpose of processing the data

Processing of above described data enables us to analyse the browsing behaviour of our users. The evaluation of that data allows us to collate the information about the website visits of the data-subjects. That allows us to make our website more user-friendly and constantly optimise it. This aim is the legitimate interest in processing data according to point (f) of Article 6(1). By making the IP-address anonymous we sufficiently accommodate the user’s interest of protecting his or her personal data.

4. Data deletion and duration of data storage

The data will be deleted as soon as they are not necessary anymore for above mentioned purposes. In our case data is deleted after 40 days.

5. Possibility to objection and removal

Cookies are saved onto the data subject’s computer system and information passed on to the controller’s server. Therefore users have full control over the usage of cookies. The user can, by changing the preferences in the browser, deactivate cookies or limit the cookie’s functionality. Cookies already saved can be deleted at any time, deletion can also be automated.

Further information according privacy protection of the Matomo Software you can find at: https://matomo.org/docs/privacy

VI. E-mail contact
1. Description and extent of processing personal data

Establishing contact with us is possible by using the provided e-mail-address. In this case personal data sent to us via e-mail will be saved.

No data will be passed on to third parties. The data will only be used for processing the conversation.

2. Legal basis for data processing

Legal basis for processing of data is, in case there consent of the user, point (a) of Article 6(1) GDPR.

Legal basis for processing data according to sending of e-mails is point (f) of Article 6(1) GDPR. Does the e-mail contact aim at a conclusion of contract, additionally point (b) of Article 6(1) GDPR is the legal basis for processing.

3. Purpose of processing data

Processing personal data of an e-mail serves for handling the e-mail conversation only. Therein lies the legitimate interest in processing the data.

4. Duration of data storage

Personal data will be deleted as soon as the conversation with the user has ended. The conversation ends, when it becomes clear of the circumstances, that the concerned inquiry was finally clarified.

5. Option for objection and deletion

At any time the user has the option to object to his or her consent of processing personal data. Does the user get in contact with us via e-mail, he or her can at any time object against storing personal data. In such a case the conversation cannot be continued.

For this case please send a letter to the address:
Tomaž Kramberger
Heßstraße 96
80767 München
Germany

All personal data that were stored for the establishing of contacts will be deleted.

VII. Rights of data subjects

In case that personal data of you is being processed, you are the person concerned by the means of the GDPR and you are entitled to following rights against the responsible party:

1. Right to information about your personal data

You can demand a confirmation from the accountable party, if personal data about you is being processed. You can demand following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You’re entitled to claim information about whether personal data concerned is passed on to a third party country or to an international organisation. In that respect you can also request to be informed about eligible safeguards according to Article 46 GBPR.

2. Right to rectification

You are entitled to rectification and/or completion against the person in charge, as far as the processed data concerned is incorrect or incomplete. The person in charge has to carry out the amendment without delay.

3. Right to restriction of processing

Under following circumstances you can demand that personal data concerning you has to be restricted:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data will be, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

After processing was rectified, according to above mentioned requirements, you will be informed by the controller before the confinement is abrogated.

4. Right to erasure («right to be forgotten»)

1. Obligation to erasure

You can demand that the party responsible immediately must delete personal data concerning you. The party responsible has to immediately delete the data provided following reasons:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Information to third parties

Did the responsible person publish the personal data concerned and is he obliged to delete the data according to Article 17(1) GDPR, the person in charge takes appropriate measures – in regard to available technology and costs of implementation – to inform the responsible people that process personal data, that the person concerned demanded the deletion of all links to the personal data its copies or replications.

3. Exeptions

The right to deletion does not apply as far as processing is required

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  4. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  5. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  6. for the establishment, exercise or defence of legal claims.
5. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. the processing is carried out by automated means.

In exercising his or her right to data portability the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. Rights and freedoms of others must not be adversely affected.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

8. Right to repeal to the declaration of consent for data protection

The data subject is entitled to withdraw his or her declaration of consent for data protection at any time. The withdrawal of consent does not affect the legitimacy of prior processing with consent before the data subject’s withdrawal.

9. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This shall not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  3. is based on the data subject's explicit consent.

However those decisions not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.