Data Protection

Data privacy statement according to the GDPR

I. Name and address of the party responsible
Party responsible in terms of the GDPR and other national data privacy laws of the member states as well as other data privacy regulations is the company

nuggets – market research & consulting GmbH
Wellingsbütteler Landstraße 61
22337 Hamburg
Germany
Tel.: +49 (0)40 466 56 79 00
E-Mail: info@nuggets-mr.de
Website: www.nuggets-mr.de
1. Name and address of the data security officer
Data security officer of the party responsible is

Janine Anke
Wellingsbütteler Landstraße 61
22337 Hamburg
Germany
Tel.: +49 (0)40 466 56 79 04
E-Mail: datenschutz@nuggets-mr.de
Website: www.nuggets-mr.de

2. General remarks on data processing
1. Scope of processing of personal data
As a basic principle, we only process personal data of our users to the extent that is required to ensure that the website and its content and services work properly. The processing of personal data of our users on a regular basis is only carried out after the user stated his consent. Exceptions are cases where a preceding consent of the user cannot be obtained for actual reasons and a processing of data is allowed by legal regulations.

3. Legal basis for the processing of personal data
If we obtain the consent to data processing procedures by the people concerned, Article 6, paragraph 1, point (a) of the EU General Data Protection Regulation (GDPR) is the legal basis.
With the processing of personal data required to fulfill a contract of which the person concerned is a contracting party, Article 6, paragraph 1, point (f) GDPR is the legal basis. This also applies to processing procedures required to conduct pre-contractual measures.
If processing personal data is required to fulfill a legal obligation our company is subject to, Article 6, paragraph 1, point (c) GDPR is the legal basis.
If vital interests of the person concerned or of another natural person require the processing of personal data, Article 6, paragraph 1, point (d) GDPR is the legal basis.
If data processing is required to maintain a vital interest of our company or of a third party and if interests, basic rights and fundamental freedoms of the person concerned do not outweigh this interest mentioned first, Article 6, paragraph 1, point (f) GDPR is the legal basis for this processing.

4. Deletion of data and duration of data storage
Personal data of the persons concerned are deleted or suspended as soon as the reason for storage does not apply anymore. An extended storage can happen, if this is provided for by EU or national law in EU regulations, laws or other directions the responsible party is subject to.  Suspension or deletion of data also will occur, if a time limit for data retention provided by the norms mentioned expires, unless there is a necessity for further data retention for closing or fulfilling a contract.

5. Provision of the website and generation of logfiles
1. Description and scope of data processing
When using the website for informational reasons only – that is, if you don’t register or transfer information in any other way – we only gather personal data your browser sends to our server. If you want to view the website, we gather the following data which is technologically required to present our website to you and to guarantee stability and security:

(1) Information on the type of browser and the version used
(2) The operating system of the user
(3) The internet service provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Time zone difference to Greenwich Mean Time (GMT)
(7) Websites from which the system of the user gets to our website
(8) Websites the system of the user visits via our website
(9) Access status/http status code
(10) Amount of data transmitted each time
This information will also be stored in the logfiles of our system. A storage of this information together with other personal data of the user does not occur.

6. Legal basis for data processing
Legal basis for the temporary storage of data and for the logfiles is Article 6, paragraph 1, point (f) GDPR.

7. Purpose of data processing
The temporary storage of the IP address by the system is required to ensure a delivery of the website to the user. To this end, the IP address has to be stored for the duration of the session.

A storage of the logfiles is done to ensure the functionality of the website. This data also serves for optimization of the website and to ensure the security of our information-technological systems. An analysis of this information for marketing purposes does not occur in this context.

Our legitimate interest in data processing according to Article 6, paragraph 1, point (f) GDPR is based on these purposes as well.

8. Duration of storage
The information will be deleted as soon as it is not required anymore for the purposes it was gathered for. In the case of gathering data to provide the website, this is the case when each session is terminated.

In the case of storing data in logfiles, this is he case after 7 days at the latest. An extended storage is possible. In this case, the IP addresses of the users are deleted or blurred, making it impossible to assign the visiting client.

9. Objection and removal option
Gathering data to provide the website and the storage of data in logfiles are mandatory for the operation of the website. The user has no option to object to it.

10. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files which are saved within the internet browser or on the computer system of the user by the internet browser respectively. When a user visits a website, a cookie can be saved on the user’s operating system. This cookie contains a characteristic string which makes a clear identification of the browser possible upon a following visit to the website.
We use cookies to design our website more user-friendly. Some elements of our website require that the visiting browser can be identified even after changing websites.
The following data is stored and transmitted in the cookies:
(1) Language settings
(2) Log-in information
2. Legal basis for data processing
The legal basis for the processing of personal data by using cookies is Article 6, paragraph 1, point (f) GDPR.
3. Purpose of data processing
The purpose of the use of technologically required cookies is to simplify the use of the website to the user. Some functions of our website cannot be provided without the use of cookies. For these functions, it is required that the browser can be recognized even after the website was left.
We require cookies for the following applications:
(1) Transfer of language settings
User data gathered by technologically required cookies is not used to create user profiles.
Our legitimate interest in processing personal data according to Article 6, paragraph 1, point (f) GDPR is based on these purposes as well.

4. Duration of storage, objection and removal option
Cookies are saved on the user’s computer and transferred from there to our website. That is why you as a user are in full control of the use of cookies. By changing the settings of your internet browser, you can deactivate or limit the transfer of cookies. Cookies which have already been saved can be deleted at any time. This can be done in an automated way as well. If cookies are disabled for our website, it is possible that not all functions of our website can be used to full extent any longer.

11. Newsletter
1. Description and scope of data processing
Information on the newsletter based on a model by attorney in law Dr. Thomas Schwenke

12. Content of the newsletter
On our website, you have the option to subscribe to a newsletter free of charge with which we provide information on the latest research findings from our company, our methods or research approaches and other news from our company at irregular intervals.

13. Data processing upon registration
When you register for the newsletter, data from the input mask is transferred to us. The only mandatory field for the transmission of the newsletter is your email address. Entering other, especially highlighted data is voluntary and is used to be able to address you personally.
Registration to our newsletter follows the double-opt-in procedure. This means that you will receive an email after registration within which you will have to confirm your registration once again. This registration is required to ensure that nobody can register with someone else’s email address.
In addition, the following data is gathered upon registration:
(1) IP address of the visiting computer
(2) Date and time of registration
We ask for your consent to processing data upon registration and refer to this data privacy statement.
By subscribing to our newsletter, you declare consent to receiving it and to the following procedures.

14. Use of the mailing service „MailChimp“
Mailing of the newsletter is done via „MailChimp“, a newsletter dispatch platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email addresses of our newsletter subscribers, as well as other data described within the framework of this information, are saved on servers of MailChimp in the USA. MailChimp uses this information to mail the newsletter and to analyze it on our account. Furthermore, MailChimp can use this data to optimize or improve its own services, for example for technical optimization of mailing or of the representation of the newsletter or for economic reasons, to determine from which country the recipients come. However, MailChimp does not use data from out newsletter resipients to contact them themselves or to pass it on to a third party.
We trust in the reliability and the IT security as well as data security of MailChimp. MailChimp is certified under the US-EU data privacy treaty „Privacy Shield“ and commits itself that way to comply with EU data privacy demands. Furthermore, we concluded a „Data Processing Agreement“ with MailChimp. This is a contract in which MailChimp commits itself to protect our users’ data, to process it on our account in line with its data privacy regulations and especially not to pass it on to third parties. You can see MailChimp’s data privacy regulations here: https://mailchimp.com/legal/privacy/
Except for this, there is no passing-on to third parties. Data is used for the mailing of the newsletter only.

15. Statistical survey and analyses
The newsletters contain a so-called „web-beacon“,  which is a pixel-sized file which is retrieved from the server of MailChimp upon opening the newsletter.  Within the framework of this retrieval, technical information such as information on the browser and your system, as well as your IP address and the time of retrieval is gathered initially. This information is used to improve the services technologically based on the technical data or the target groups and their reading behavior by means of the places where they retrieve it (which can be determined by the IP address) or their times of access.
It is also part of the statistical survey to determine if the newsletter is opened, when it is opened, and which links are clicked. This information can be allocated to the individual newsletter addressees for technical reasons, but it neither our desire nor the desire of MailChimp to watch individual users. Instead, the analyses serve to make us understand the reading habits of our users and to adapt our content to them or to mail varying content according to the interests of our users.

16. Online retrieval and data management
There are cases where we redirect newsletter recipients to the website of MailChimp. For example, newsletter recipients can correct their data later, like their email address, for example. The data privacy statement of MailChimp is available at their website only as well.
In this context, we point out that cookies are used on the websites of MailChimp and that way personal data is processed by MailChimp, their partners and services used (for example Google Analytics). We have no influence on this data gathering. You can find further information in the data privacy statement of MailChimp (https://mailchimp.com/legal/privacy/). Furthermore, we point out to you the options to reject data gathering for advertising purposes on the websites  http://www.aboutads.info/choices/ and http://www.youronlinechoices.com/ (for the European region).

17. Legal basis of the data processing
Legal basis for data processing after registration for the newsletter by the user is, in case of an existing consent of the user, Article 6, paragraph 1, point (a) GDPR as well as § 7, paragraph 2, Nr. 3, or paragraph 3 of the Law Against Unfair Competition respectively.
The use of the mailing service MailChimp, the conduct of statistic surveys and analyses and the protocolling of the sign-on happen based on our legitimate interests according to
Article 6, paragraph 1, point (f) GDPR. Our interest aims at the use of a user-friendly and secure newsletter system which serves our business interests as well as fulfills the expectations of our users.

18. Purpose of data processing
Gathering the email address of the user serves the mailing of the newsletter. Gathering given name and family name serves a personalized addressing in the newsletter.

Gathering other personal data within the framework of the sign-on process serves to prevent misuse of the services or the email address used.

19. Duration of storage
Data will be deleted as soon as it is not required anymore for the purposes it was gathered for. The email address of the user will be saved as long as the subscription is active.

The remaining personal data gathered in the framework of the sign-on procedure is usually deleted within a period of seven days.

20. Rejection and removal option
You can cancel your consent for the sending of the newsletter anytime and unsubscribe the newsletter. By doing so, your consent to the mailing via MailChimp and the statistical analyses is automatically cancelled as well. A separate cancellation of the mailing via MailChimp or the statistical analyses unfortunately is not possible.
You can cancel by clicking the link provided in each newsletter or via email to info(at)nuggets-mr.de.
You will find a link to cancel the newsletter at the end of each newsletter.

21. Contact form and email contact
1. Description and scope of data processing
There is a contact form on our website which can be used to make contact electronically. If the user chooses this option, data entered into the input mask is transferred to us and saved. The following data is saved:
(1) Your name
(2) Your email address
(3) Possibly further information you transfer us via the contact form
You will be asked for your consent to process this data in the context of sending and you will be directed to this data privacy statement.

Alternatively, you can make contact via the email address provided. In this case, the personal data sent by the user via tis email is saved.

In this context, there will be no transfer of data to third parties. This data will exclusively be used to process the conversation.

22. Legal basis for data processing
Legal basis for the processing of data upon presence of the user’s consent is Article 6, paragraph 1, point (a) GDPR.

Legal basis for the processing of data transferred in the context of the sending of an email is Article 6, paragraph 1, point (f) GDPR. If the email is aiming at forming a contract the additional legal basis for processing is Article 6, paragraph 1, point (b) GDPR.

23. Purpose of data processing
The processing of personal data from the input mask only serves us for the handling of the contact that is being made. In case of contact making via email this is the required legitimate interest in processing the data as well.
Other personal data processed during the process of sending serves as a means to prevent misuse and to ensure the security of our IT systems.

24. Duration of storage
Data will be deleted as soon as it is not required anymore to achieve the purpose of its gathering.  In case of personal data from the input mask of the contact form and for data sent via email, this is the case when it can be told from the circumstances that the according issue addressed has been clarified in a final way.

Additional data gathered during the process of sending is deleted after a period of seven das at the latest.

25. Rejection and removal option
The user can cancel his consent to the processing of personal data anytime. If the user makes contact with us via email, he can reject the storage of personal data anytime. In such a case the conversation cannot be continued.

All personal data saved in the context of making contact will be deleted in such a case.

26. Integration of third party services and content
1. Description and scope of data processing
On our website, we use offerings, content and services from third-party suppliers. This includes fonts from Google Fonts and maps from Google Maps. Integration of third-party content always includes that the third-party suppliers can see the IP address of the user, as they could not send the content to the user’s browser without the IP address. That way, the IP address is required for the presentation of this content. Furthermore, third-party suppliers can place their own cookies and process the user’s data for their own purposes. In the course of this, user profiles can be generated about the user from processed data.
2. Legal basis for data processing
Legal basis for the processing of this data is Article 6, paragraph 1, point (f) GDPR.
3. Purpose of data processing
The use of Google Fonts ensures that all content of our website can be presented correctly. By integrating Google Maps, we can show interactive maps directly on our website and enable you to use the map function conveniently. Integration of the content of third-party suppliers always implies that the third-party suppliers can see the IP address of the user, because they cannot send their content to the user’s browser without the IP address. That way, the IP address is required for the presentation of this content.
We will use content in a way that tries to save data as much as possible and avoids data as much as possible and will also choose third-party suppliers which are reliable regarding data security.
4. Duration of storage, objection and removal option
The following description provides an overview of third-party suppliers as well as their content, together with links to their data privacy statements which provide further information on the processing of data and – as partly mentioned here before – objection options (so-called opt-out):
(1) External fonts from Google, Inc., https://www.google.com/fonts (“Google Fonts”).
Integration of Google Fonts is done via a server call-up at Google (usually within the USA). Data privacy statement: https://www.google.com/policies/privacy/,
Opt-out: https://www.google.com/settings/ads/.
(2) Maps from the service “Google Maps” provided by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

27. Rights of the person concerned
If personal data from you is processed, you are a person concerned within the meaning of GDPR and you are due to the following rights regarding the party responsible:
1. Right to information
You can demand a confirmation from the party responsibly as to whether personal data concerning you is processed.
If such a processing is the case, you can demand to get informed by the party responsible about the following information:
(1)    the purposes to which personal data is processed;
(2)    the categories of personal data being processed;
(3)    the recipients or categories of recipients respectively to whom the according personal data concerning you was disclosed or will be disclosed in the future;
(4)    the planned duration of storage of personal data concerning you or – in case specific periods cannot be given – criteria for a determination of the duration of storage;
(5)    the existence of a right to correct or delete personal data concerning you, the right to limit the processing by the party responsible or the right of objection regarding this processing;
(6)    the existence of a right of complaints at a supervisory authority;
(7)    all information available on the origin of the data, if the personal data wasn’t gathered from the person concerned;
(8)    the existence of automated decision making including profiling according to Article 22, paragraphs 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved as well as the scope and the intended effects of such a processing for the person concerned.
You have the right to demand information on whether the according personal data will be transferred to a third country or to an international organization. In this context, you can demand to get informed on the appropriate guarantees according to Article 46 GDPR in the context of this transfer.

28. Right to correct
You have a right to correction and/ or completion with the party responsible, as long as the processed personal data concerning you is incorrect or incomplete. The party responsible has to correct immediately.

29. Right to limitation of spreading
Under the following conditions you can demand a limitation of the spread of personal data concerning you:
(1)    if you deny the accuracy of the personal data concerning you for a period of time which allows the party responsible to check the accuracy of said personal data;
(2)    spreading it is illegitimate and you reject deleting that personal data, demanding a limitation of the use of said personal data instead;
(3)    the party responsible does not require the personal data for the purpose of processing any longer, but you need it for the enforcement, exertion or defense of legitimate claims; or
(4)    if you filed and objection against processing according to Article 21, paragraph 1 GDPR and it is not certain yet whether the legitimate reasons of the party responsible outweigh your reasons.
If the processing of personal data concerning you was limited, this data – apart from storage – can only be processed with your consent or to enforce, exert or defend legitimate claims or to protect the rights of another natural or legal person or for reasons of an important public interest of the European Union or a member state.
If processing was limited according to the conditions mentioned above, you will be informed by the party responsible before the limitation is cancelled.

30. Right to deletion
a) Obligation for deletion
You can demand from the party responsible that personal data concerning you is deleted without delay and the party responsible is obligated to delete said data without delay as long as one of the following reasons applies:
(1)    The personal data concerning you is not required anymore for the purposes it was gathered or processed in any other way.
(2)    You cancel your consent on which the processing was based according to Article 6, paragraph 1, point (a) or Article 9, paragraph 2, point (a) GDPR, and there is no other legal basis for processing.
(3)    You file an objection according to Article 21, paragraph 1 GDPR against processing and there are no prior-ranking legitimate reasons for processing or you file an objection against processing according to Article 21, paragraph 2 GDPR.
(4)    The personal data concerning you was processed illegitimately.
(5)    The deletion of the personal data concerning you is required to fulfill a legal obligation according to EU law or the laws of a member state the party responsible is subject to.
(6)        The personal data concerning you was gathered regarding services offered by the information company according to Article 8, paragraph 1 GDPR.

31. Information to third parties
If the party responsible has made personal data concerning you public and if it is obliged to delete them according to Article 17, paragraph 1 GDPR, it will take measures which are suitable considering available technologies and the costs of implementation – also measures of a technological kind – to inform those parties responsible for the processing of data who process said personal data that you as the person concerned demanded deletion of all links to said personal data or to copies or replications of said personal data.

32. Exceptions
The right to deletion does not apply if the processing is required
(1)    to exert the right to freedom of expression and information;
(2)    to fulfill a legal obligation which requires the processing according to EU law or the laws of the member state the party responsible is subject to, or to exert a task which is within public interest or which is done by exerting public authority which has been delegated to the party responsible;
(3)    for reasons of public interest in the field of public health according to Article 9, paragraph 2, point (h) and (i) as well as Article 9, paragraph 3 GDPR;
(4)    for purposes of filing what is in public interest, for scientific or historical purposes or for statistical purposes according to Article 89, paragraph 1 GDPR, in case the right mentioned under a) is likely to make the realization of the goals of this processing impossible or seriously diminishes it, or
(5)    to assert, exert or defend a legal claim.

33. Right to notification
If you have asserted the right to correction, deletion or limitation of procession towards the party responsible, it is obliged to notify this correction or deletion of data or limitation of processing to all recipients to whom the according personal data was disclosed, unless this proves to be impossible or involves disproportionate effort.
Towards the party responsible you have the right to get notified about these recipients.

34. Right to data transferability
You have the right to receive the personal data concerning you which you have provided to the party responsible in a structured, common and machine-readable format. You also have the right to transfer this data to another responsible party without hindrance from the party responsible, as long as
(1)    the processing is based on a consent according to Article 6, paragraph 1, point a GDPR or Article 9, paragraph 2, point (a) GDPR or on a contract according to Article 6, paragraph 1, point (b) GDPR and
(2)    the processing is conducted by means of an automated procedure.
In the exercise of this right you also have the right to obtain that the personal data concerning you is transferred by the party responsible to the other party responsible, as long as this is technically feasible. Liberties and rights of other persons mustn’t be impaired by this.
The right to data transferability does not apply to a processing of personal data required for exercising a public task which is in public interest or occurs in exertion of public authority which has been delegated to the party responsible.

35. Right to objection
Regarding the processing of personal data concerning you which was gathered according to Article 6, paragraph 1, point (e) or (f) GDPR, you have the right to object anytime, based on reasons arising from your specific situation; this also applies to a profiling based on these regulations.
The party responsible will not process said personal data concerning you anymore, unless it can prove imperative reasons worthy of protection for processing which outweigh your interests, rights and liberties, or the processing serves the assertion, exertion or defense of legal claims.
In case the personal data concerning you is processed to practice direct advertising, you have the right to object to the processing of said personal data concerning you for the purposes of such advertising any time; this also applies to profiling, as far as it is connected to such direct advertising.
In case you object to the processing for the purpose of direct advertising, the personal data concerning you will not be processed for such purposes anymore.
In the context of the use of services from information companies – guideline 2002/58/EG notwithstanding – you have the option to practice your right to objection by means of automated procedures with which technological specifications are used.

36. Right to cancellation of the data protection laws related statement of consent
You have the right to cancel your statement of consent regarding data protection laws at any time. The legitimacy of processing up to the time of cancellation is not affected by the cancellation of your consent.

37. Automated decision making in individual cases including profiling
You have the right not to be subject to a decision based on automated processing only – including profiling, which develops a legal effect on you or impairs you significantly in a similar way. This does not apply, if the decision
(1)    is required for the conclusion of a contract or the fulfillment of a contract between you and the party responsible,
(2)    is admissible based on legal provisions of the EU or of the member states the party responsible is subject to and if these legal provisions contain appropriate measures to protect your rights and liberties as well as your legitimate interests or
(3)    takes place with your explicit consent.
Even so, these decisions mustn’t be based on specific categories of personal data according to Article 9, paragraph 1 GDPR, as long as Article 9, paragraph 2, points (a) or (g) GDPR do not apply and appropriate measures to protect the rights and liberties as well as your legitimate interests have been undertaken.
Regarding the cases mentioned in (1) and (3) the party responsible will undertake appropriate measures to protect the rights and liberties as well as the legitimate interests, which includes at least the right to obtain an intervention from a person of the party responsible, to state your own point of view and to appeal against the decision.

38. Right to complain at a supervisory authority
Without prejudice to another legal remedy from administrative law or a court, you have the right to complain at a supervisory authority, especially in the member state of your residence, your workplace or of the alleged infringement, if you are of the opinion that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority where you filed your complaint notifies the appellant about the state of affairs and the results of the complaint including the option of a judicial remedy according to Article 78 GDPR.