Privacy Policy

Eberbach Monastery Foundation's Privacy Policy
Valid from 23.12.2019 (status: 16.04.2024)

We take your privacy very seriously and process your personal data in accordance with the applicable statutory data protection requirements. Throughout this privacy statement, the term "personal data" refers to all information collected that is related to your person. Name, address, e-mail and IP address, user behaviour.

With the following data protection information, we inform you about the processing of your personal data by us. We also provide an overview of your data protection rights. Which data is processed in detail and how it is used depends largely on the services used, requested or agreed to.

1. Responsible body and data protection officer

(1) The responsible body pursuant to Article 4 number 7 of the General Data Protection Regulation (DS-GVO) or service provider pursuant to Section 13 of the German Telemedia Act (TMG) is:

Eberbach Monastery Foundation
D-65346 Eltville am Rhein

(2) You can reach the data protection officer of the responsible body at:

Eberbach Monastery Foundation
Data Protection Officer
D-65346 Eltville am Rhein
E-mail: datenschutz@kloster-eberbach.de

2. Source of personal data

We process personal data that we receive from you in the course of your visit to our website, in the course of your contacting us by e-mail, via a contact form or the booking function.

3. Categories of personal data processed

(1) If you visit or use our website purely for information purposes, i.e. if you do not register or otherwise transmit information to us, we will only collect the personal data that your browser transmits to our server. If you wish to view our website, we will collect the following data, which is technically necessary in order for us to display our website to you and to ensure its stability and security:

• Your IP address
• Date, time and length of your visit
• Content of the request (concrete page)
• Access status/ http status code
• The amount of data transferred in each case
• Web page from which the request comes
• Your browser
• Your operating system

This data is used exclusively for internal statistical purposes.

(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive and associated with the browser you are using, and through which certain information flows to the body that sets the cookie. Cookies cannot run programs or install viruses on your computer. They serve to make the internet offer as a whole more user-friendly and effective.

(3) Most browsers are set up to accept cookies. However, you can deactivate the storage of cookies in your browser at any time or set your browser so that you receive a message as soon as cookies are sent. However, in this case you may then not be able to use all the functions of this website.

(4) This information is stored separately from any other data provided to us. In particular, the cookie data is not linked to any of your other data.

4. Other functions and offers on our website

(1) In addition to the purely informational use of our website, we offer various services that you can use if you are interested. For this purpose, you will usually have to provide further personal data, which we use to provide the services and to which the aforementioned data processing principles apply.

(2) When you contact us by email or via a contact form, the data you provide (your email address and your name (first and last name, if applicable) will be stored by us in order to answer your questions. In addition, you have the option of telling us your opinion by means of a contact form. This requires the following personal data: your name, your e-mail address and what impressed you.

(3) Our website offers you the opportunity to book rooms for overnight stays online. In order to be able to make a booking, the following personal data is required: your first and last name, your address, your e-mail address and your telephone number.

(4) Furthermore, we offer you the possibility to book guided tours via our website. In this context, it is necessary for you to provide the following personal data: your first and last name, your address, your e-mail address and your telephone number.

(5) In order to access our press photo download area, the following personal data is required: your first and last name and your e-mail address.

(6) We delete the data supplied after the storage is no longer necessary or restrict the processing if there are statutory obligations to retain the data.

5. Use of eTracker

(1) The tracking tool "eTracker" from eTracker GmbH (https://www.etracker.com/) is used on our website to collect and store data for marketing and optimisation purposes. Usage profiles can be created from the stored data using a pseudonym. Mainly website information from web servers is processed for this purpose, which cannot be linked to you as an individual. Since "eTracker" is a so-called "cookie-less tracking" solution, no cookies are created, used or required for the collection and storage of your data. The reason for this is that this website information is not stored for longer than 24 hours. This means that this information can neither be assigned to you as a visitor to our website nor to your devices. The purpose of this data processing is the statistical evaluation of website usage. The data collected by "eTracker" will not be used to personally identify the visitor to this website without the separately granted consent of the person concerned. Likewise, the data collected in this way is not merged with personal data about the bearer of the pseudonym.

(2) The tracking tool "eTracker" from eTracker GmbH is used to analyse and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. We collect, store and process your data in order to safeguard our above-mentioned legitimate interests pursuant to Art. 6 para. 1 section f of the GDPR (analogous processing purposes). Since this involves the use of a cookie-less tracking solution, no consent pursuant to Art. 6 (1) section a of the GDPR is required for the processing. Further information from eTracker can be found here: https://www.etracker.com/wp-content/uploads/2020/03/Cookie-less-etracking.pdf

(3) You can object to the future collection and storage of this data at any time. The lawfulness of the processing carried out before the time of the objection shall remain unaffected. You can submit your objection here: http://www.etracker.de/privacy?et=nvm5YV

(4) If you require further information regarding "eTracker" and the handling of your data by eTracker GmbH, please refer to the company's data protection declaration: https://www.etracker.com/datenschutz/

6. Use of the Shariff solution for social media plugins from Google+, Facebook and Twitter

(1) We currently use the following social media plugins: Facebook, Google+, Twitter, and use the so-called Shariff solution in this context. This means that when you visit our site, no personal data is initially passed on to the providers of these plugins. The provider of the plugin can be recognised by the marking of the greyed-out box with the initial letter or logo. Contact to the services or the query is made from the server so that, instead of the visitor's IP address, only the server address is transmitted to Facebook, Google and Twitter. Only when you click on the link to share content does the plugin provider receive the information that you have accessed the corresponding website of our online offering. In addition, the data listed in section 3 of this data protection notice will be transmitted. According to Facebook, in Germany the IP address is anonymised immediately after collection. By activating the plugin, personal data is transmitted and stored (in the case of US providers, in the USA). Since the plugin provider collects data in particular via cookies, we recommend that you delete all cookies via your browser's security settings before clicking on the greyed-out box.

(2) We have no influence on the collected data and data processing procedures, nor are we aware of the full extent of the data collection, its purpose or the length of storage. We have no information on the deletion of the data collected by the plugin provider.

(3) The plugin provider stores this data as a usage profile and uses it for the purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation is carried out – in addition for non-logged in users – in particular for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these usage profiles, whereby you must contact the relevant plugin provider to exercise this right. Via the plugins, we offer you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user.

(4) The transfer of data takes place whether or not you have an account with the plugin provider or are logged in there. If you are logged in to the plugin provider, your data will be directly assigned to your account with the plugin provider. If you click the activated button and link to the page, for example, the plugin provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will help you to avoid an assignment to your profile with the plugin provider.

(5) Further information on the purpose and scope of the data collection and its processing by the plugin provider can be found in the following notified data protection declarations of these providers. You will also receive further information about your rights in this regard and setting options for protecting your privacy.

(6) Addresses of the providers and URLs with their data protection notices:

• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo
• Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; http://www.google.com/policies/privacy/partners/?hl=de
• Twitter Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; http://twitter.com/privacy

7. Notes on data processing on our Facebook fan page

(1) Fundamentals

The Kloster Eberbach foundation operates a Facebook fan page under https://de-de.facebook.com/klostereberbach/. As the operator of this Facebook page, we have joint responsibility with the provider of the social network Facebook (Facebook Ireland Ltd.) within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR). When you visit our Facebook page, your personal data will be processed by both responsible parties.
We have entered into a data protection shared responsibility agreement (Page Controller Addendum) with Facebook. With this agreement, Facebook recognises the joint responsibility with regard to so-called Insights data and assumes essential data protection obligations for informing data subjects, for data security and for reporting data protection breaches. Furthermore, the agreement stipulates that Facebook is the primary contact for the exercise of the rights of those affected (Art. 15 – 22 GDPR). As the provider of the social network, Facebook alone has direct access to the necessary information and can also immediately take any necessary measures and provide information. However, should our support be required, we can be contacted at any time.

(2) Use of Insights and Cookies

In connection with the operation of this Facebook fan page, we use Facebook's Insights function to obtain anonymised statistical data on the users of our Facebook fan page. Facebook provides information on Insights and Facebook fan pages via its data protection notes.
In connection with visiting our and other Facebook pages, Facebook also uses cookies and other similar storage technologies. Further information on the use of cookies by Facebook can be found in their cookie guidelines.

(3) Comments and messages; participation in competitions

On our Facebook fan page, you have the opportunity to comment on our posts, rate them and contact us via private messages or take part in competitions.

Legal basis

We operate this Facebook page to present, interact and communicate with Facebook users and other interested persons and our customers who visit our Facebook page. The processing of users' personal data is based on our legitimate interests in an optimised company and product presentation (Art. 6 para. 1 section f of the GDPR) and, in the case of participation in competitions or answering product application questions, on the basis of a (pre-)contractual relationship pursuant to Art. 6 para. 1 section b of the GDPR. The processing of users' personal data is based on our legitimate interests in an optimised company and product presentation (Art. 6 para. 1 section f of the GDPR) and, in the case of participation in competitions or answering product application questions, on the basis of a (pre-)contractual relationship pursuant to Art. 6 para. 1 section b of the GDPR.

Purpose of storage

The processing of the information generated by Insights is intended to enable us, as the operator of the Facebook fan page, to obtain statistics that Facebook compiles based on visits to our Facebook fan page. The purpose of this is to manage the marketing of our activities. This enables us, for example, to learn about the profiles of visitors who like our Facebook page or use applications on the page in order to provide them with more relevant content and to develop features that may be of greater interest to them.

In order for us to better understand how we can better achieve our business goals with our Facebook pages, demographic and geographic analyses are created from the information collected and made available to us. This information may be used to target interest-based advertisements without having direct knowledge of the visitor's identity. If visitors use Facebook on several devices, the collection and analysis can also be carried out across devices if they are registered visitors who are logged in to their own profile.

The visitor statistics created are only transmitted to us in an anonymised form. We do not have any access to the underlying data.

Furthermore, we use our Facebook page to communicate with our customers, interested parties and Facebook users and to inform them about us and our products. In this context, we may receive other information, e.g. due to user comments or private messages or because you follow us or share our content. The processing of the data is solely for the purpose of communicating and interacting with you.

Period of Storage

Your data will be deleted when the purpose for retaining ceases to exist, provided there is no obligation to retain it.

Removal & objection options

Using the settings for advertising preferences, Facebook users can influence the extent to which their user behaviour may be recorded when visiting our Facebook page. Further options are available in Facebook properties or in the right to objection form.

8. Data processing on our Instagram page

(1) Fundamentals

The Kloster Eberbach foundation operates its own Instagram account under the name kloster_eberbach. Instagram is a Facebook product and thereby part of the Facebook group. As the operator of this Instagram page, we have joint responsibility with the provider of the social network Instagram, Facebook Ireland Ltd.(Facebook) within the meaning of Art. 4 No. 7 of the General Data Protection Regulation (GDPR). By visiting our Instagram page, your personal data will be processed by both responsible parties.
We have entered into a data protection shared responsibility agreement (Page Controller Addendum) with Facebook. With this agreement, Facebook recognises the joint responsibility with regard to so-called Insights data and assumes essential data protection obligations for informing data subjects, for data security and for reporting data protection breaches. Furthermore, the agreement stipulates that Facebook is the primary contact for the exercise of the rights of the affected (Art. 15 - 22 GDPR). As the provider of the social network, Facebook alone has direct access to the necessary information and can also immediately take any necessary measures and provide information. However, should our support be required, we can be contacted at any time.

(2) Use of Insights and Cookies

In connection with the operation of this Instagram page, we use Facebook's Insights function to obtain anonymised statistical data on the users of our Instagram page. Facebook provides information on Insights and Instagram pages via its data protection notes.
In connection with visiting our and other Instagram pages, Facebook also uses cookies and other similar storage technologies. Further information on the use of cookies by Facebook be found in their cookie guidelines.

(3) Comments and messages; participation in competitions

On our Instagram page, you have the opportunity to comment on our posts, rate them and contact us via private messages or take part in competitions.

Legal basis

We operate this Instagram page to present ourselves, to interact and communicate with Instagram users and other interested persons and our customers who visit our Instagram page. The processing of users' personal data is based on our legitimate interests in an optimised company and product presentation (Art. 6 para. 1 section f of the GDPR) and, in the case of participation in competitions or answering product application questions, on the basis of a (pre-)contractual relationship pursuant to Art. 6 para. 1 section b of the GDPR. The processing of users' personal data is based on our legitimate interests in an optimised company and product presentation (Art. 6 para. 1 section f of the GDPR) and, in the case of participation in competitions or answering product application questions, on the basis of a (pre-)contractual relationship pursuant to Art. 6 para. 1 section b of the GDPR.

Purpose of storage

The processing of the information generated by Insights is intended to enable us, as the operator of the Instagram page, to obtain statistics that Facebook compiles based on visits to our Instagram page. The purpose of this is to manage the marketing of our activities. This enables us, for example, to use applications on the page in order to provide them with more relevant content and to develop features that may be of greater interest to them.

In order for us to better understand how we can better achieve our business goals with our Instagram pages, demographic and geographic analyses are created from the information collected and made available to us. This information may be used to target interest-based advertisements without having direct knowledge of the visitor's identity. If visitors use Instagram page on several devices, the collection and analysis can also be carried out across devices if they are registered visitors who are logged in to their own profile.

The visitor statistics created are only transmitted to us in an anonymised form. We do not have any access to the underlying data.

Furthermore, we use our Instagram page to communicate with our customers, interested parties and Instagram users and to inform them about us and our products. In this context, we may receive other information, e.g. due to user comments, private messages or because you follow us or share our content. The processing of the data is solely for the purpose of communicating and interacting with you.

Period of Storage

Your data will be deleted when the purpose for retention ceases to exist, provided there is no obligation to retain it.

Removal & objection options

Using the settings for advertising preferences or the form for right of objection, Instagram users can influence the extent to which their user behaviour may be recorded when visiting our Instagram page.

(4) Information on contact options and further rights as a data subject

For further information on how to contact us, including our data protection officer, on the rights of data subjects towards us and how we process personal data in other respects, please refer to the relevant sections of this privacy policy.

9. Newsletter

(1) With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent.

(2) Registration for our newsletter uses the so-called double-opt-in procedure. This means that, after your registration, we will send an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

(3) The only mandatory information for sending the newsletter is your e-mail address. The provision of further, separately marked data is voluntary and will be used to address you personally. After your confirmation, we will store your e-mail address for the purpose of sending you the newsletter.

(4) You can revoke your consent at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in every newsletter e-mail or by sending a message by post, by telephone or by fax to the contact details given in the imprint.

10. Magazine Klosterbote

(1) With your consent, you can subscribe to our Klosterbote magazine, in which we inform you about our current interesting offers. The advertised contents are named in the declaration of consent.

(2) Registration to receive our Klosterbote magazine by e-mail uses the so-called double-opt-in procedure. This means that, after your registration, we will send an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

(3) The only mandatory information for sending the magazine is your e-mail address. The provision of further, separately marked data is voluntary and will be used to address you personally. After your confirmation, we will store your e-mail address for the purpose of sending you the newsletter.

(4) To register to receive our Klosterbote magazine by post, you must provide the following personal data: your first and last name and your address.

(5) You can revoke your consent at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in every newsletter e-mail or by sending a message by post, by telephone or by fax to the contact details given in the imprint.

11. Press mailing list

(1) With your consent, you can subscribe to our press releases, in which we will send you media-relevant information. The advertised contents are named in the declaration of consent.

(2) Registration for our press releases uses the so-called double-opt-in procedure. This means that, after your registration, we will send an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

(3) Mandatory information for inclusion in our press release list is your first and last name, your e-mail address and, in addition, your medium and the desired area of interest. The provision of further, separately marked data is voluntary. After your confirmation, we will store your e-mail address for the purpose of sending you the press releases.

(4) You can revoke your consent at any time and unsubscribe from the press releases. You can revoke your consent by clicking on the link provided in every press release e-mail or by sending a message by post, by telephone or by fax to the contact details given in the imprint.

12. Fundraising box

(1) On our website you have the possibility to make an instant donation via the donation form Spendino from GRÜN Software GmbH. The financial transaction data is only processed by Spendino on their servers. GRÜN Software AG, Pascalstraße 6, 52076 Aachen provide their data protection declaration under gruen.net/datenschutz

(2) For online donations, the following personal data is required: your title, your first and last name, your address, your e-mail address, the duration or frequency of your donation, your bank details and the country in which you live.

(3) Should you decide to pay with the online payment service provider PayPal, your contact details will be transmitted to PayPal as part of the donation process. This transfer is necessary to process your donation with your selected payment method. The main personal data transmitted to PayPal is first name, last name, address, telephone number, IP address, e-mail address, or other data required for processing, as well as data related to the donation. Depending on the payment method selected via PayPal, the personal data transmitted to PayPal will be transferred by PayPal to credit reference agencies. Which credit agencies are involved and which data is generally collected, processed, stored and passed on by PayPal can be found in PayPal's data protection information at https://www.paypal.com/de/webapps/mpp/ua/privacy-prev

13. Use of Google reCAPTCHA

We use the "reCAPTCHA" service of the U.S. provider Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as part of the operation of our website. When offering our contact form (kloster-eberbach.de/en/kontakt), the "reCAPTCHA" service primarily enables us to differentiate whether an entry is made by a natural person or abusively by machine and automated processing (e.g., through bots).

When you use reCAPTCHA, your personal data will be processed:

• Referrer URL
• IP address
• Language settings
• Browser used
• Access location
• Period of use
• Time zone
• Installation of browser plug-ins
• Interactions (e.g. mouse movements)

We are aware of the transfer of your personal data to a third country (here: USA) and have concluded a data processing agreement with Google LLC in accordance with Art. 28 GDPR, including the modular standard contractual clauses of the European Commission , in order to take into account the security and integrity of your personal data. In the case of self-certification of the provider Google LLC. under the EU-U.S. Data Privacy Framework, this applies in addition.

We base the use of Google reCAPTCHA and the associated data processing on the pursuit of a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR (process optimization, prevention of fraud, security). Of course, you have the right to object to the processing of your personal data by reCAPTCHA at any time in accordance with Art. 21 GDPR.

We only store your personal data for as long as it is required to achieve the original purpose for which it was collected. If this purpose no longer applies or if you object to this data processing, we will erase your personal data unless we are obliged to continue storing it due to statutory retention periods.

Further information on Google reCAPTCHA and Google's privacy policy can be found at: google.com/intl/de/policies/privacy

14. Amazon smile

(1) Our website offers you the opportunity to support the Kloster Eberbach Foundation by making a purchase from the external service provider Amazon Smile. The links integrated into the website redirect you to Amazon Smile; the purchase is made exclusively via the Amazon Smile account, so that the personal data required for a purchase (e.g. address and bank details) is not transferred to our website. The processing of personal data, which is required for purchasing over Amazon Smile, is subject to the terms and conditions of Amazon Smile. Amazon Smile does not send any data or information about purchases or persons to us.

(2) Amazon Smile is operated by Amazon EU S.à r.l. (Société à responsabilité limitée), 5 Rue Plaetis, L-2338 Luxemburg and Amazon EU SARL, Niederlassung Germany, Marcel-Breuer-Straße 12, 80807 München. Further information on Amazon Smile's data protection policies can be found under: https://smile.amazon.de/gp/help/customer/display.html/ref=smi_ge_ft_priv?ie=UTF8&nodeId=3312401

15. Categories of recipients of the personal data

(1) Individual aforementioned processes and services are carried out by carefully selected service providers operating in accordance with data protection principles. These external service providers are bound by our instructions and are regularly monitored. These will not provide your data to any third parties.

(2) With regard to the disclosure of data to further recipients, we will only disclose information about you if required by law, you have given your consent or we are authorised to disclose it. If these conditions are met, recipients of personal data may include:

• Public bodies and institutions (e.g. tax authorities, law enforcement agencies) in the event of a legal or official obligation.
• Other companies or comparable institutions to which we transfer personal data in order to carry out our business relationship with you.

(3) In order to process the SEPA direct debit mandates issued to us by donors, we work together with our cooperation partner Spendino from GRÜN Software GmbH, with whom we have concluded an order processing agreement in accordance with Art. 28 of the GDPR. The financial transaction data is only processed by Spendino on their servers. GRÜN Software AG, Pascalstraße 6, 52076 Aachen provide their data protection declaration under gruen.net/datenschutz. Further information on GDPR-compliant fundraising with GRÜN Spendino can be found under www.gruen.net/GDPR-konformes-fundraising-mit-gruen-spendino/

16. Purposes for which personal data is processed and legal bases for the processing

We process your personal data in compliance with the applicable statutory data protection regulations. This processing is lawful if the following conditions are met:

(1) Consent (Article 6(1)(a) GDPR:
The processing of personal data is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes (e.g. processing of your request, use of the data for marketing purposes). (3) Consent to the future collection and storage of this data can be withdrawn at any time. This also applies to the withdrawal of consent given to us prior to the validity of the GDPR, i.e. prior to 25 May 2018.

(2) Due to contractual obligations (Article 6(1)(b) GDPR):
We process personal data in order to fulfil our contractual obligations or to carry out pre-contractual measures which are made upon request. The purposes of the data processing result primarily from your request.

(3) Due to legal requirements (Article 6(1)(c) GDPR:
The Kloster Eberbach Foundation is subject to various legal obligations. These include, among others:

• Commercial and tax retention regulations in accordance with the German Commercial Code and the German Fiscal Code,
• Fulfilment of checking and reporting obligations under tax law.

(4) Within the framework of the balancing of interests (Article 6(1) f) GDPR:
Where necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. For example:

• Assertion of legal claims and defence in legal disputes,
• Ensuring IT security and IT operations,
• To analyse and improve the use of our website,
• For the use of social media plugins.

17. Intention to transfer personal data to a third country or an international organisation

An active transfer of personal data to a third country only takes place if this has been expressly indicated within the scope of the aforementioned services.

18. Criteria for determining the duration for which personal data are stored

(1) The data shall be stored in accordance with statutory provisions on data processing and in compliance with statutory retention periods. We process and use your data exclusively for the purposes for which you have authorised us and for as long as the data is required for these purposes.

(2) If the data is no longer required for the purpose or for the fulfilment of legal obligations, it is usually deleted, unless its further processing – limited in time and scope – is necessary for the following purposes:

• The fulfilment of obligations to retain under commercial and tax law: namely, the German Commercial Code (HGB) and the German Fiscal Code (AO). Accordingly, the retention and documentation periods are set at up to 10 years as default.
• Preservation of evidence within the framework of statutory limitations: According to §§ 195 et seq. of the German Civil Code (BGB), the normal limitation period is three years, but under special circumstances can be up to 30 years.

19. Your data protection rights

(1) Every data subject shall have the right of access under Article 15 of the GDPR, the right of rectification under Article 16 of the GDPR, the right of erasure under Article 17 of the GDPR, the right to restrict processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR. With regard to the right to information and the right of deletion, the restrictions according to §§ 34 and 35 of the Federal Data Protection Act (BDSG) apply. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 of the GDPR in conjunction with Section 19 of the BDSG).

(2) Consent to the future collection and storage of personal data can be withdrawn at any time. This also applies to the withdrawal of consent given to us prior to the validity of the GDPR, i.e. prior to 25 May 2018,

(3) You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of a balance of interests).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for its processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

The objection can be made without formalities and should preferably be addressed to:

The Eberbach Monastery Foundation
Data Protection Officer
D-65346 Eltville am Rhein
E-mail: datenschutz@kloster-eberbach.de

20. Obligation to provide and possible consequences of not providing personal data

When using our services, you must provide the personal data that is required to fulfil the purpose or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract with you.

21. Existence of automated decision-making including profiling

As a matter of principle, we do not use fully automated decision-making pursuant to Article 22 of the GDPR to establish and implement the business relationship. Should we use this procedure in individual cases, we will inform you of this separately, insofar as this is required by law.

22. Changes to the data protection notice

We continuously develop and optimise our services. So it may be that we will add new functionalities. Should this have an impact on the way in which your personal data is processed, we will inform you in good time in our data protection notices.