We are delighted that you are interested in our services and we want to make sure that you feel you have come to the right place including when it comes to how we handle your personal data. We take protecting your personal data very seriously. We want you to know when we collect data, what data we collect and how we use it. Below, you will find details on the type of personal data we collect, on the extent of the collected data, on the reasons why we do so and what we use the collected data for. You can check back to these details on our website at any time.
To ensure that your personal data remains safe, we ensure that your data are protected from access by unauthorized parties and from unauthorized disclosure. Your data will not be supplied to third parties without authorisation.
If you have any questions or suggestions regarding this data policy, or concerning data protection in general, please feel free to contact us.
I. Name and address of controller
The controller as defined in the General Data Protection Regulation (GDPR) and other data protection laws nationally applicable in the EU member states or other regulations related to data protection is:
Climate Risk Analysis Manfred Mudelsee e. K.
Telephone: +49 5563 9998140
Throughout this site, the company is also referred to as Climate Risk Analysis or CRA.
II. Name and address of data protection officer
Not applicable since CRA does not perform a "comprehensive and systematic" observation and analysis of personal data, see the GDPR, article 37, paragraph 1, points b and c.
III. General information about data processing
1. Extent of personal data processing
We process our users' personal data only to the extent required for providing a functional website and supplying our content and services. We process our users' personal data regularly only if the respective users have given their consent. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed.
2. Legal basis for processing personal data
Where we obtain the corresponding data subjects' consent for processing their personal data, the GDPR (article 6, paragraph 1, point a) serves as legal basis.
Where we need to process personal data for the purposes of fulfilling a contract, and the data subject is party to the contract, the GDPR (article 6, paragraph 1, point b) serves as legal basis. This also applies to processing necessary to accommodate preparations for entering into a contract.
Where processing of personal data is necessary for our company to fulfil a legal obligation, the GDPR (article 6, paragraph 1, point c) serves as legal basis.
Where processing of personal data is necessary for protecting the vital interests of the data subject, or those of another individual, the GDPR (article 6, paragraph 1, point d) serves as legal basis.
Where processing is necessary to protect our company's or a third party's legitimate interests, and such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, the GDPR (article 6, paragraph 1, point f) serves as legal basis.
3. Deletion of data and storage period of data
The data subject's personal data will be deleted or blocked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation from European Union Regulations, laws or other provisions to which the controller is subject. Data will also be deleted if a storage period specified in the above standards expires unless conclusion or fulfilment of a contract requires the data to remain on record further.
IV. Provision of website and creation of log files
1. Details and extent of data processing
Any time our website is accessed, the system of our internet service provider automatically records data and information concerning the accessing computer. The following data are recorded:
2. Legal basis for data processing
For temporary recording of these data in the system's log files, the GDPR (article 6, paragraph 1, point f) serves as legal basis.
3. Purpose of data processing
The system needs to temporarily record the IP address in order to provide the website to the user's computer. This also requires that the user's IP address remains logged throughout the session.
Recording the data in log files is necessary to ensure that the website operates correctly. The data further help that the computer systems remain secure. No data are processed for marketing purposes in this context.
The above purposes also constitute our legitimate interests in data processing under the GDPR (article 6, paragraph 1, point f).
4. Data storage period
The data are deleted as soon as they are no longer required for achieving the purpose for which they were recorded. With respect to data being recorded in order to provide the website, the data are no longer required as soon as the respective session ends. With respect to data being recorded in log files, the data is no longer required after fourteen days at the latest. Data may remain on record for longer. If so, the users' IP addresses are deleted or rendered untraceable to make identification of the accessing client impossible.
5. Right to object and options for avoidance
The website cannot be provided without recording the data and the operation of the site in the internet is impossible without storing the data in log files. There is correspondingly no option for the user to object.
To keep your data secure during transmission, we use the latest state-of-the-art encryption technology via HTTPS.
VII. Contact by email
1. Details and extent of data processing
Our website includes email addresses that allow to contact us by email. If you do so, we will store the personal user data included in the email.
We will not give these data to anybody else. The data will be used solely for handling our conversation.
2. Legal basis for data processing
The legal basis for processing data received as part of email communication is the GDPR (article 6, paragraph 1, point f). If email communication pursues conclusion of a contract, the legal basis shall further be the GDPR (article 6, paragraph 1, point b).
3. Purpose of data processing
We process the personal data obtained from the email solely for the purposes of handling contact.
4. Data storage period
The data are deleted as soon as they are no longer required for achieving the purpose for which they were obtained. In terms of the personal data received by email, this applies when the respective conversation with the user has concluded. The conversation has concluded when the circumstances indicate that the respective subject has been fully resolved.
5. Right to object and options for avoidance
All users can at any time withdraw their consent to our processing their personal data. If a user contacts us by email, she or he can object at any time to our storing her or his personal data. If a user decides so, the conversation cannot be pursued further. You can withdraw your consent and object to our storing data by sending an email to the email address of the controller (see I). If you do so, we will delete all personal data recorded as part of our contact.
VIII. Online meetings, conference calls and webinars via Webex
We use the "Webex" tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: "Online Meetings"). "Webex" is a service of Cisco Systems, Inc. (170 West Tasman Drive, San Jose, California 95134 United States of America).
1. ResponsibilityIf you visit the "Webex" website, the provider of "Webex" is responsible for data processing. Visiting the website is only necessary for using "Webex" in order to download the software for using "Webex". You can also use "Webex" if you enter the respective access data for the meeting directly in the "Webex" app. If you do not want to, or cannot, use the "Webex" app, the basic functions can also be used via a browser version. When using "Webex", different types of data are processed. The scope of the data also depends on the information you provide before or during participation in an "Online Meeting".
2. Description of data
The following personal data is subject to processing:
In order to participate in an "Online Meeting" or to enter the "meeting room", you must at least provide information about your name.
3. Description of data processing
We use "Webex" to conduct "Online Meetings". If we want to record "Online meetings", we will inform you in advance in a transparent manner and, if necessary, ask for your consent. The fact of the recording will also be displayed in the "Webex" app.
If it is necessary for the purpose of recording the results of an "Online Meeting", we will log the chat content.
In the case of webinars, we may also process the questions asked by webinar participants for the purposes of recording and follow-up of webinars.
If you are registered as a user at "Webex", reports on "Online Meetings" (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars, measurement data provided by you) can be stored for up to one month at "Webex".
Automated decision making as defined by the GDPR (article 22) is not used.
4. Legal basis for data processing
As far as personal data are processed, the legal basis is the German Bundesdatenschutzgesetz (BDSG), paragraph 26. If, in connection with the use of "Webex", personal data are not required for the establishment, performance or termination of an employment relationship, but are nevertheless an elementary component in the use of "Webex", the GDPR (article 6, paragraph 1, point f) is the legal basis for data processing. In these cases, we are interested in the effective conduct of "Online Meetings".
In other respects, the legal basis for data processing when conducting "Online Meetings" is the GDPR (article 6, paragraph 1, point b), insofar as the meetings are conducted within the framework of contractual relationships.
If no contractual relationship exists, the legal basis is the GDPR (article 6, paragraph 1, point f). Here too, we are interested in the effective implementation of "Online meetings".
5. Recipient/transfer of data
Personal data processed during participation in "Online Meetings" is generally not passed on to third parties, unless it is specifically intended to be passed on. Please note that content from "Online Meetings" as well as personal meetings are often used to communicate information with customers, interested parties or third parties and are therefore intended to be passed on. Other recipients: The provider of "Webex" necessarily obtains knowledge of the above-mentioned data to the extent that this is provided for in an contract processing agreement with "Webex".
6. Data processing outside the European Union
"Webex" is a service by a provider from the United States of America. Processing of personal data therefore also takes place in a third country. Any order processing contract by us with the provider of "Webex" meets the requirements of the GDPR (article 28).
An adequate level of data protection is guaranteed on the one hand by the provider of "Webex", and on the other hand by the conclusion of the so-called EU standard contract clauses. We note that "Webex" is used by many healthcare businesses as it can be compliant with US medical privacy laws and the provider of "Webex" as a company is known to be more security conscious than most.
Further information on data protection for "Webex" can be found in the provider's data protection declaration at: https://www.cisco.com/c/en/us/about/legal/privacy-full.html.
IX. Embedded videos
We embed videos on some of our websites. These plug-ins are operated by Linda und Sören Steinmann GbR - Video-Stream-Hosting, Am Sennehügel 20, 32052 Herford, Germany. When you access a web page with the plug-in and click the video, you will be connected to Video-Stream-Hosting's servers. When this happens, Video-Stream-Hosting receives information on the sites you are visiting.
When you start a Video-Stream-Hosting video, the provider records your computer IP address in an abbreviated form, such that it is not possible to trace back to your device.
When you start a Video-Stream-Hosting video, the provider stores in your browser session cookies. These cookies allow to recognize next time the user's browser. The legal basis for storing these cookies is the GDPR (article 6, paragraph 1, point f). Video-Stream-Hosting has a legitimate interest in cookie storage in order to provide technically error-free and optimal services. Users can set their browsers such that they are informed about placements of cookies. Users can set their browsers that cookies are automatically deleted at closure of the browser. Users can permit or forbid placement of cookies on an individual basis. Note that if cookies are disabled, the functionality of the service may be limited. The cookies remain until their deletion on the end device; however, they will be deactivated at latest after 3 months.
For more information on data protection and Video-Stream-Hosting, refer to the provider's data policy at https://www.video-stream-hosting.com/j/privacy.
X. Social media
We maintain an online presence in social media and platforms to communicate with the prospects and users active there and to keep them up-to-date on our services. When accessing social media networks and platforms, the respective operators' terms and conditions and data policies will apply.
Unless noted otherwise in our data policy, we process the data of users who communicate with us through social media networks or platforms, for example, by leaving comments on our websites or sending us messages.
The company is called Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, California 94103, United States of America. By using Twitter and its re-tweet function, the websites you visit are linked to your Twitter account and communicated to other users. This also transmits data to Twitter.
Please note that we as the provider of our sites are not informed of the data transmitted or of how Twitter uses the data. For more information, see Twitter's data policy at https://twitter.com/privacy.
The company is called YouTube LLC, 901 Cherry Avenue, San Bruno, California 94066, United States of America. When you access a web page with the YouTube plug-in and click the video, you will be connected to YouTube's servers. When this happens, YouTube receives information on the sites you are visiting. If you are logged in to your YouTube account, YouTube will be able to trace your surfing behaviour. You can prevent this by logging out of your YouTube account beforehand.
If you have disabled cookies for the Google Ad program, these YouTube cookies will also be disabled. However, YouTube stores further, non-personal user data in other cookies. If you want to prevent this, you will need to disable cookies in your browser settings.
For more information on data protection and YouTube, refer to the provider's data policy at https://www.google.com/intl/en/policies/privacy/.
The company is called LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, United States of America. When logged in to your LinkedIn account, you can link our website content to your LinkedIn account. This will allow LinkedIn to trace your visit to our website to your LinkedIn user account.
We have no control over the data LinkedIn records this way, nor over the extent of data LinkedIn collects this way. We are not informed of what data LinkedIn receives. For details on data collected by LinkedIn and on your rights and setting options, see LinkedIn's data policy at https://www.linkedin.com/legal/privacy-policy.
XI. Data subject's rights
If your personal data are processed, you are a data subject as defined in the GDPR and consequently have the following rights.
1. Right of access
You are entitled to request information from the controller on whether we are processing any personal data related to yourself.
If we do, you can further request information from the controller on the following:
You are entitled to request information on whether the personal data relating to yourself will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to the GDPR (article 46) related to the transmission.
2. Right to rectification
You are entitled to request that the controller corrects and/or completes the personal data relating to yourself if this data is incorrect or incomplete. The controller is obliged to do so without delay.
3. Right to restriction of processing
You can request limits to the processing of personal data relating to yourself if the following applies:
If processing the personal data relating to yourself has been limited, the data can without your consent be used neither to assert, exercise or defend legal claims, nor to enforce protection of another individual's or legal entity's rights, nor can the data be processed in the public interest of the European Union or one of its member states. This does not apply to the storing of the data.
If processing has been restricted in accordance with the above conditions, you will be notified by the controller before any restrictions are lifted.
4. Right to erasure
4.1 Obligation to delete
You can request that the controller delete the personal data relating to yourself immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies.
4.2 Notification of third parties
If the controller has published personal data relating to yourself and has become obliged to delete it as per the GDPR (article 17, paragraph 1), the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof.
The right to erasure becomes void if processing is necessary:
5. Notification obligation
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is under obligation to notify all recipients to whom the personal data relating to yourself has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The controller is exempted from this obligation where such notification proves impossible or unreasonable.
You have the right to be informed of who these recipients are.
6. Right to data portability
You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit these data to another controller without the controller to whom you have provided the data hindering you from doing so and if
When exercising this right, you can further request controllers to send the personal data relating to yourself directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others.
The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller.
7. Right to object
You are entitled to object for reasons arising from your own personal situation at any time against processing of personal data relating to yourself where processing is legitimised by the GDPR (article 6, paragraph 1, points e or f); this applies in equal measure to profiling legitimised by these provisions.
The controller will cease to process your personal data unless the controller can prove compelling legitimate reasons for processing that override your interests, rights and liberties or processing pursues the assertion, exercise or defence of legal claims.
If personal data relating to yourself are processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising.
If you object to processing for direct advertising, the personal data relating to yourself will no longer be processed for this purpose.
You may, in connection with the use of information society services, Directive 2002/58/EC notwithstanding, exercise your right to object by means of automated methods that are subject to technical specifications.
8. Right to withdraw your consent under data protection law
You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect legitimacy of any processing that has occurred with your consent prior to withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself, if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision:
However, such decisions may have been made based on personal data of special categories as per the GDPR (article 9, paragraph 1) unless the GDPR (article 9, paragraph 2, points a or g) also apply and appropriate measures have been taken to protect your rights, liberties and legitimate personal interests.
With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller's, to put forward your own opinion and to contest the decision.
10. Right to complain with a supervisory authority
If you believe that processing of personal data relating to yourself is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state you, your place of work or the locale of the alleged infringement are in. This does not affect your recourse to other administrative or judicial remedies.
The supervisory authority receiving the complaint will keep the appellant up-to-date on status and results of the complaint, including on recourse to judicial remedies as per the GDPR (article 78).