Privacy policy in accordance with the EU General Data Protection Regulation (GDPR)
- Name and address of the Data Controller
- Data Processors
- General information on data processing
- Provision of the website and keeping of logs
- Use of cookies
- Newsletter
- Matomo Analytics
- Vimeo Video Streaming
- Your rights
- Right to information
- Right to correction
- Right to restrict processing
- Right to deletion
- Right to notification
- Right to transferability
- Right of objection
- Right to withdrawal of consent to processing of your personal data
- Automated decision-making in specific cases, including profiling
- Right to lodge a complaint with a supervisory authority
Name and address of the Data Controller
The Controller as defined by the GDPR and other data protection laws of the EU member states as well as other data protection regulations is:
- Stephen Bosch
- Bessemerstraße 82
- 10. OG Süd
- 12101 Berlin
- Deutschland
- Tel.: +49 30 5093 1471
- E-Mail: gdpr@stephenbosch.net
- Website: www.stephenbosch.net
That's me.
▲Data Processors
The following Processors process your personal information on behalf of the Controller:
- ConvertKit LLC, 750 W Bannock St, Unit #761, Boise, ID 83702, United States of America
General information on data processing ▲
Scope of processing of personal information
In general, when you use my website, I process your personal data only insofar as is required to serve a functional website and provide you with content and services from it. Your personal data is processed only with your consent. An exception to this are cases in which it is impossible to obtain your consent in advance and the processing of your personal data is allowed by law.
▲Lawful basis for the processing of personal data
Insofar as I obtain your consent to process your personal data, Art. 6 par. 1. lit. a of the EU General Data Protection Regulation (GDPR) shall be the lawful basis for that processing. For the processing of personal data required for fulfilment of a contract to which you are a party, Art. 6 par. 1. lit. b GDPR shall be the lawful basis for that processing. This also applies to processes necessary for the execution of pre-contractual measures. Insofar as the processing of personal data is necessary for the fulfilment of my or my enterprise's legal obligations, Art 6. 1. lit. c GDPR shall be the lawful basis for that processing. In the case that your vital interests or those of another natural person make the processing of your personal data necessary, Art. 6 par. 1 lit. d GDPR shall be the lawful basis. If the processing is necessary for the purposes of my or my enterprise's legitimate interest or that of a Third Party, and your interests, fundamental rights and freedoms do not outweigh the aforementioned legitimate interest, Art 6. 1. lit. f GDPR shall be the lawful basis for that processing.
▲Data deletion and duration of storage
Your personal data will be deleted when the purpose for its storage no longer applies. Your personal data can be stored beyond this time if so provided for by European or national legislatures in EU directives, acts or other regulations to which I or my enterprise are subject. Blocking or deletion of your personal data can also occur as a consequence of time limits prescribed by the aforementioned legal norms, unless these data are required for conclusion or fulfilment of a contract.
▲Provision of the website and keeping of logs▲
Description and scope of data processing
My system collects data and information from your device each time you make a request to my website. The following data are collected:
- your browser type (
User agent
) and version; - your device's operating system;
- your device's IP address;
- date and time of your request;
- websites, from which your device browsed to my website;
- websites requested by your device via links on my website;
These data are also stored in log files on my system.
▲Lawful basis for data processing
The lawful basis for the temporary storage of your personal data is Art. 6 par. 1. lit. f GDPR.
▲Purpose of data processing
Temporary storage of your IP address by my system is required in order to serve the website to your device. The IP address must therefore be stored for the duration of the browsing session.
This purpose represents my legitimate interest in processing your personal data in accordance with Art. 6 par. 1. lit. f GDPR.
▲Duration of storage
Your personal data will be deleted as soon as they are no longer needed for the purpose of their collection. In the case of data collected in order to serve the website, these data are deleted when the session ends.
In the case of storage of the data in log files, the data will be deleted after no more than seven days. Storage beyond the aforementioned periods is possible. In that case, your IP addresses will be deleted or obscured (anonymisation) such that a connection between you and the requesting client can no longer be discerned.
▲Objection and remedy
The collection of data for the purpose of serving you its content and the storage of request data in log files is a minimum requirement for the operation of the website. Consequently, there is no provision for objection.
▲Use of cookies▲
Description and scope of data processing
My website uses cookies. Cookies are text files stored by your web browser on your device. When you load a website, a cookie can be stored on your device. This cookie contains a characteristic string that makes it possible to uniquely identify your browser at each subsequent loading of the website.
I use cookies on my website in order to analyse your browsing activity. The following data can be collected in this manner:
- a randomly generated, unique identifier assigned to you
- date and time of your first visit
- date and time of your last visit
- which pages you loaded
- how many times you loaded certain pages
Lawful basis for data processing
If you consent to the use of cookies, the lawful basis for the processing of your personal data using cookies is Art. 6 par. 1. lit. a GDPR.
▲Purpose of data processing
I process your personal data in order to analyse your browsing activity. By examining the data, I can assemble information about your use of individual parts of my website. This helps me continuously improve the content and user-friendliness of my website. This purpose represents my legitimate interest in processing your personal data in accordance with Art. 6 par. 1. lit. f GDPR. Your right to protection of your personal data is protected through anonymisation of your IP address.
▲Duration of storage
Your personal data will be deleted as soon as they are no longer needed for the purposes of use analysis.
In my case, this is after three months.
▲Objection and remedy
Cookies are stored on your device and are sent from your device to my website. As the user you therefore have complete control over the use of cookies. You can deactivate entirely or partially restrict the transmission of cookies through your web browser settings. Saved cookies can be deleted by you at any time. This can also be done automatically, if you so choose. If you deactivate cookies, some of the features of my website may stop working.
I also offer you the option of opting out of analytics. To opt-out, follow the corresponding link. When you opt-out, an additional cookie is set on your device so that my system can identify you and knows that you don't want your data stored or processed for the purposes of analysis. If you delete this cookie, you will be asked if you wish to opt-out again at your next visit.
▲Newsletter
I regularly write and distribute an e-mail newsletter to which you can subscribe free of charge via my website. This newsletter is to inform you about my current work, as well as make you aware of other interesting and useful content on my website and on other websites around the Internet. Through my newsletter, I may ask you for feedback on my content from time to time, in order to make it as valuable to you as possible. Very rarely, I may call your attention to some of my commercial products and services, and only if you give me your permission to do so.
To send you the newsletter, I use the services of ConvertKit LLC (ConvertKit LLC, 750 W Bannock St, Unit #761, Boise, ID 83702, United States of America). ConvertKit is headquartered in the United States of America, and its infrastructure is also located there.
ConvertKit is my Data Processor as defined by Art. 28 GDPR. My data processing agreement (DPA) with ConvertKit governs how your sensitive personal data are handled.
Note that, although ConvertKit handles your data conscientiously and carefully, it is subject to United States law, which may not provide you with a level of data protection guaranteed you by European law.
▲If you perform one or more of the following actions: Description and scope of data processing
- You subscribe to my newsletter;
- You open my newsletter;
- You click on links in my newsletter;
then my Data Processor ConvertKit LLC will collect the following data on my behalf:
- Your e-mail address;
- your name, if applicable;
- your device's IP address;
- device type;
- unique identifier;
- the manufacturer and model of your device;
- browser type (<q>user agent</q>) and operating system of your device;
- date and time of your request;
- your screen resolution;
- plug-ins installed on your device;
- extensions installed on your device;
- the geographical location of your device or your Internet connection;
- the link you clicked, if applicable;
- the software version of the services provided by ConvertKit.
You can find more information on the data protection measures taken by ConvertKit in its privacy policy:
https://convertkit.com/privacy ▲Lawful basis for data processing
In order to send you my newsletter, I need your consent. When you provide your consent, you also consent to performance measurement. When you subscribe to my newsletter, the newsletter content described there is material to your consent.
Insofar as I obtain your consent to process your personal data for the purposes of sending you my newsletter, Art. 6 par. 1. lit. a GDPR shall be the lawful basis for that processing.
▲Purpose of data processing
The purpose of the newsletter is to:
- inform you about my current work;
- share content (e.g. text, images) with you;
- make you aware of content on my website and on other websites which may be interesting or useful to you;
- ask you for feedback on my content;
- make you aware of my commercial offers, provided you explicitly consent to this.
Subscription
When you subscribe to my newsletter, I need your e-mail address. You may, if you choose, also provide your first and last name, so that I may personalise the newsletter for you.
Subscription proceeds via a double-opt-in process: After you enter your e-mail address, you will receive an e-mail that asks you to respond if you wish to subscribe, either by replying to the confirmation e-mail or clicking on a link in the confirmation e-mail. Only once you have done this will your subscription be confirmed. This prevents unwanted subscriptions through unknown third parties and helps catch typographic errors in the e-mail address.
▲Statistical data collection and analysis
ConvertKit uses cookies, unique identifiers (e.g. in embedded links in e-mails it sends to you) and tracking pixels to record your usage behaviour for statistical purposes.
A tracking pixel is a very small, invisible graphic, usually 1x1 pixel in size, which is embedded in the e-mail. When you open the e-mail, the pixel is loaded from an external website. When you open the newsletter under typical circumstances, the tracking pixel is loaded from ConvertKit's servers and this event is logged.
When you click on embedded links in the newsletter, your request is sent to ConvertKit's servers, logged there and then relayed to the final link target.
Newsletter e-mails may, if you so choose, be opened in your browser (e.g. if the content isn't properly displayed in your e-mail client). In this case, the newsletter content is served by ConvertKit's servers and your request is logged there.
This statistical analysis allows me to determine
- how often an e-mail was opened by subscribers;
- which content was clicked how often;
- which parts of the newsletter were read the most, if applicable.
The purpose of this statistical data collection and analysis is performance measurement and the continuous improvement of my content offering.
Although it is technically possible to connect the collected data to you personally, ConvertKit does not provide me with information about the usage activity of individual subscribers. I receive only a statistical summary of the overall usage activity of all subscribers to my newsletter.
▲Duration of storage
Your personal data are stored only as long as you are subscribed to my newsletter. If you inform me that you no longer wish to receive my newsletter, I will store your e-mail address in a block list, in order to prevent the unintended transmission of future e-mails to your address. If you do not agree to this storage of your e-mail address, please let me know by e-mail. In that case I will remove your address from the block list as well.
▲Objection and remedy
Many e-mail programmes give the user the option to block the automatic loading of images. This way, you can stop the tracking pixel from loading and avoid creating the associated event data.
You can also cancel your subscription to the newsletter and revoke your consent to receive e-mails from me at any time. Your revocation of consent automatically includes your consent to my Data Processor, ConvertKit LLC.
An unsubscribe link may be found at the end of every newsletter.
▲Matomo Analytics▲
Description and scope of data processing
I use the open-source web analytics tool Matomo Analytics on my website. This software sets cookies on your computers (please see the section on cookies above). When you request pages from my website, the following data are collected:
- two bytes of the IP address of your device;
- the page you requested;
- the website from which you browsed to the page you requested (
Referrer
); - the sub-pages you requested from the originally requested page;
- time on site;
- number of requests of the page.
This software runs exclusively on the servers of my website. Your personal data are stored there. Your personal data are not transmitted to any Third Parties.
▲Lawful basis for data processing
The lawful basis for the processing of your personal data is Art. 6 1. lit. f GDPR.
▲Purpose of data processing
I process your personal data in order to analyse your browsing activity. By examining the data, I can assemble information about your use of individual parts of my website. This helps me continuously improve the content and user-friendliness of my website. This purpose represents my legitimate interest in processing your personal data in accordance with Art. 6 par. 1. lit. f GDPR. Your right to protection of your personal data is protected through anonymisation of your IP address.
▲Duration of storage
Your personal data will be deleted as soon as they are no longer needed for the purposes of use analysis.
In my case, this is after three months.
▲Objection and remedy
Cookies are stored on your device and are sent from your device to my website. As the user you therefore have complete control over the use of cookies. You can deactivate entirely or partially restrict the transmission of cookies through your web browser settings. Saved cookies can be deleted by you at any time. This can also be done automatically, if you so choose. If you deactivate cookies, some of the features of my website may stop working.
I also offer you the option of opting out of analytics. To opt-out, follow the corresponding link. When you opt-out, an additional cookie is set on your device so that my system can identify you and knows that you don't want your data stored or processed for the purposes of analysis. If you delete this cookie, you will be asked if you wish to opt-out again at your next visit. For more information on privacy settings for Matomo Analytics, go to: https://matomo.org/docs/privacy/.
▲Vimeo Video Streaming
For the communication of certain concepts, video can be more effective than text. For this reason, I use video in some of the articles on this website. These videos are embedded on the page so that you don't need to leave the page to watch them and thus interrupt your reading flow.
In order to ensure fast and reliable streaming, I use the services of Vimeo, Inc. (Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA). Vimeo is headquartered in the United States of America, and the bulk of its infrastructure is also located there.
For more information about how Vimeo handles your sensitive personal information, see: https://vimeo.com/privacy
Note that, although Vimeo by its own assertion handles your data conscientiously and carefully and strives to comply with the GDPR, it is subject to United States law, which may not provide you with the level of data protection guaranteed you by European law.
▲Description and scope of data processing
When you visit a page with a video, your browser will establish a connection to Vimeo's servers. These servers record your IP address and set cookies to transmit a static thumbnail image and so that the video can be delivered to you and the functionality of Vimeo's video interface is maintained.
Further, Vimeo stores metadata associated with the connection, e.g.
- your device's IP address;
- device type;
- unique identifier;
- the manufacturer and model of your device;
- browser type (
user agent
) and operating system of your device; - date and time of your request;
- your screen resolution;
- plug-ins installed on your device;
- extensions installed on your device;
- the geographical location of your device or your Internet connection, and
- the link you clicked, if applicable.
Lawful basis for data processing
The lawful basis for the processing of your personal data is Art. 6 1. lit. f GDPR.
▲Purpose of data processing
This purpose represents my legitimate interest in processing your personal data in accordance with Art. 6 par. 1. lit. f GDPR.
▲Duration of storage
Your personal information is stored by Vimeo indefinitely. Nevertheless, you retain the right at all times to have Vimeo delete your personal information. For more information about how Vimeo handles your sensitive personal information, including how you can request deletion of your personal information, see: https://vimeo.com/privacy.
Objection and remedy
You can prevent the storage of cookies through your browser settings. To learn more, see the Cookies section. You retain the right at all times to have Vimeo delete your personal information. For more information about how Vimeo handles your sensitive personal information, including how you can request deletion of your personal information, see: https://vimeo.com/privacy.
▲Your rights
If your personal data are processed, you are the Data Subject as defined in the GDPR and you have the following rights vis-a-vis me (the Data Controller):
▲Right to information
You have the right to demand and receive confirmation from me that any of your personal data were processed by me or my Data Processors.
If so, you can demand from me and I must provide to you:
- the purposes for which the data were processed;
- the categories of personal data processed;
- the recipients or categories of recipients of your personal data;
- the planned duration of storage of your personal data, or, in the case that exact declarations as to the duration cannot be made, the criteria for continued storage of your personal data;
- information regarding your rights to correction or deletion of your personal data, your rights to restrict my processing of your personal data or your rights to object to such processing;
- information on your right to lodge a complaint with a supervisory authority
- all the available information on the source of your personal data, if those data were not obtained directly from you, the Data Subject;
- information about the existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences thereof;
You have the right to demand to know whether your personal data have been transferred to a Third Country or to an international organization; In this context, you may demand to be informed of the appropriate guarantees in accordance with Art. 46 GDPR as it pertains to the transfer of your personal data.
▲Right to correction
You have the right to demand that I correct incorrect or incomplete personal data I have about you. I must make the correction immediately.
▲Right to restrict processing
You can demand that I restrict the processing of your personal data under the following conditions:
- if you challenge the accuracy of your personal data long enough to allow me to verify its accuracy;
- the processing is unlawful, you refuse deletion of your personal data as a remedy and demand that use of your personal data is restricted instead;
- I no longer need to process your personal data, but you require these data in order to enforce, exercise or defend your lawful claims;
- if you have objected to my processing your personal data in accordance with Art. 21 1. GDPR and it has not yet been determined whether my legitimate interests outweigh your reasons for objecting.
If the processing of your personal data is restricted, these data may not be processed, unless we have your consent to do so, or the processing is in order to enforce, exercise or defend legal claims, or the processing is for the protection of the rights of another natural or legal person, or the processing is for reasons of vital legal interest to the European Union or one of its member states.
If the processing of your personal data has been restricted according to the conditions outlined above, I will inform you before the restriction is lifted.
▲Right to deletion▲
Obligation to delete
You can demand that I delete your personal data without delay, and I am obligated to delete these data without delay, provided one of the following reasons applies:
- Your personal data are no longer needed for the purposes for which they were collected or processed.
- You withdraw your consent upon which the processing depended in accordance with Art. 6 par. 1. lit. a or Art. 9 par. 2. lit. a GDPR, and there is no remaining lawful basis for the processing.
- You object to the processing of your personal data in accordance with Art. 21 1. GDPR and there are no overriding justifications for the processing, or you object to the processing of your personal data in accordance with Art. 21 2. GDPR.
- Your personal data were unlawfully processed.
- The deletion of your personal data is necessary to fulfil legal obligations under European Union law or the law of the member state to which I am subject.
- Your personal data were collected through services offered by an information society in accordance with Art. 8, 1. GDPR.
Notification of Third Parties
If I have published your personal data and am obligated under Art. 17 1. GDPR to delete that personal data, I must take appropriate measures reasonably possible under consideration of the technical feasibility and costs of implementation, including technical measures, to inform Third Party Data Controllers who process your personal data that you, as the Data Subject, have requested that they delete all links to and copies or replications of your personal data.
▲Exceptions
There is no right to deletion, if the processing of your personal data is necessary for
- the exercise of the right to free expression;
- the fulfilment of a legal obligation required by European Union law or the law of the member state to which I am subject, or of a task in the public interest or in the execution of public authority assigned to me;
- reasons of the public interest in the area of public health in accordance with Art. 9.1 lit. h and i as well as Art. 9 par. 3 GDPR;
- archival purposes in the public interest, for scientific and historical research purposes or for statistical purposes in accordance with Art. 89 par. 1 GDPR, insofar as the right named in Section a) foreseeably makes realisation of the objectives of this processing impossible or seriously limits it, or
- the enforcement, exercise or defence of lawful claims.
Right to notification
If you have exercised your right to correction, deletion or restriction of processing vis-a-vis me,then I am obligated to notify all recipients who received your personal data of this correction, deletion or restriction of processing, unless this is impossible or possible only with an unreasonable level of effort.
You have the right to be informed of these recipients.
▲Right to transferability
You have the right to receive your personal data in a structured, established and machine-readable format. In addition, you have the right to transfer your personal data to another Data Controller without hindrance by me, the Data Controller to whom the personal data were initially made available, as long as
- the processing is based on a consent in accordance with Art. 6 par. 1 lit. a GDPR or Art. 9 par. 2 lit. a GDPR or on a contract in accordance with Art. 6 par. 1 lit. b GDPR, and
- the processing is automated.
In exercising this right, you additionally have the right to request that your personal data be transferred directly from one Data Controller to another, insofar as this is technically feasible. The rights and freedoms of other persons may not thus be impaired.
The right to transferability does not apply to the processing of personal data required for the fulfilment of a task in the public interest or in the execution of public authority assigned to me.
▲Right of objection
You have the right, for reasons particular to your situation, to object to the processing of your personal data processed in accordance with Art. 6 par. 1 lit. e or f GDPR. This applies equally to profiling based on these provisions.
I will not process your personal data unless I can provide compelling, protected reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves the enforcement, exercise or defence of lawful claims.
If your personal data are processed for the purpose of direct marketing, you have the right to object to such processing for direct marketing at any time. This applies equally to profiling done for direct marketing purposes.
If you object to processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, notwithstanding EU Directive 2002/58/EC, to exercise your right to objection using automated methods that employ technical specifications.
▲Right to withdrawal of consent to processing of your personal data
You have the right to withdraw consent to processing of your personal data at any time. Your withdrawal of consent does not alter the lawfulness of the processing that occurred until your consent was withdrawn.
▲Automated decision-making in specific cases, including profiling
You have the right not to be subjected to automated processing, including profiling, if such processing has legal effect or impairs you in a similar manner. This right does not apply if the decision
- is necessary for the completion or fulfilment of a contract between you and me,
- is permitted by statutory provisions of the European Union or those of the member states to which I am subject and these provisions contain reasonable provisions for the protection of your rights and freedoms as well as your legitimate interests, or
- the decision is made with your explicit permission.
These decisions may not be based on special categories of personal data defined in Art. 9 par. 1 GDPR, provided that Art. 9 par. 2 lit. a or g GDPR do not apply and reasonable measures to protect your rights and freedoms as well as your legitimate interests have been taken.
In cases 1. and 3., I will take reasonable measures to protect your rights and freedoms as well as your legitimate interests. These rights include, at a minimum, the right to demand that I or my representative intervene personally, the right to present your case and the right to dispute a decision.
▲Right to lodge a complaint with a supervisory authority
Without prejudice to other administrative or legal remedies available to you, you have the right to file a complaint with a supervisory authority, specifically in the member state where you live, work or where the violation occurred, if you feel that the processing of your personal data violated the GDPR.
The supervisory authority that receives the complaint shall inform the complainant of the status and result of the complaint including the possibility of legal remedy in accordance with Art. 78 GDPR.