Data Protection Policy

Version: 04.11.2021

This data protection policy informs you about the type, scope and purpose of our processing of your personal data (hereinafter also referred to as “data”). Personal data are all data that have a personal reference to you, e.g. name, address, e-mail address or your user behaviour.  In order to make the processing of your data comprehensible to you, we would like to provide you with the following information to get an overview of our data processing. In order to ensure fair processing, this data protection declaration contains general information about our handling of your data as well as information about your rights according to the European Data Protection Regulation (DSGVO) and the German Federal Data Protection Act (BDSG).

Responsible for data processing on our website is Watershed e.V.

1. Contact

If you have any questions or comments about this policy, or if you wish to exercise any of your rights, please contact us at

Watershed e.V.

Arndtstr. 12, 50676 Cologne, Germany

E-mail: [email protected]

2. Legal Framework

The term “personal data” as used in data protection law refers to all information that relates to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular the German Data Protection Act (DSGVO), which is based on the European General Data Protection Regulation (GDPR), and the German Federal Data Protection Act (BDSG). Data processing by us only takes place on the basis of legal permission. We process personal data only with your consent (Section 15 (3) of the German Telemedia Act or Article 6 (1) (a) of the German Data Protection Act), for the performance of a contract to which you are a party, or at your request for the performance of pre-contractual measures (Article 6 (1) (b) of the German Data Protection Act), for the performance of a legal obligation (Article 6 (1) (c) of the German Data Protection Act). 6 (1) (c) DSGVO) or if the processing is necessary to protect our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms which require the protection of personal data override (Art. 6 (1) (f) DSGVO).

If you apply for a vacancy or as a volunteer in our organisations, we also process your personal data to decide on the establishment of an employment relationship or voluntary service agreement (Section 26 (1) sentence 1 BDSG).

3. Duration of Data Storage

Unless otherwise stated in the following notes, we only store the data for as long as is necessary to achieve the processing purpose or to fulfil our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations.

4. Categories of Recipients of the Data

We use commissioned service providers for individual processing operations. This includes, for example, webhosting, maintenance and support of IT systems, marketing measures or file and data carrier disposal services. These service providers only process the data according to explicit instructions and are contractually obliged to guarantee appropriate technical and organisational measures for data protection. In addition, we may transmit personal data of our donors or applicants to bodies such as postal and delivery services, our house bank, tax advisor/auditor or the tax authorities.

5. Data Transfer to third Countries

Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries in which the DSGVO is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards pursuant to Article 46 of the DSGVO are in place or if one of the conditions of Article 49 of the DSGVO is met.

Unless otherwise stated below, we use the EU standard contractual clauses for the transfer of personal data to processors in third countries as appropriate safeguards: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087

6. Processing when exercising your rights according to Art. 15 to 22 DSGVO

If you exercise your rights in accordance with Articles 12 to 22 of the German Data Protection Regulation (DSGVO), we will process the transmitted personal data for the purpose of implementing these rights by us and in order to be able to provide proof of this. We will only process data stored for the purpose of providing information and preparing it for this purpose and for the purpose of data protection control and otherwise restrict processing in accordance with Art. 18 DSGVO. These processing operations are based on the legal basis of Art. 6 para. 1 lit. c) DSGVO in conjunction with. Art. 15 to 22 DSGVO and § 34 para. 2 BDSG.

7. Your Rights

As a person concerned, you have the right to assert your personal rights against us. In particular, you have the following rights:

– In accordance with Art. 15 DSGVO and § 34 BDSG, you have the right to request information about whether and, if so, to what extent we are processing personal data relating to you or not.

– You have the right to demand that we correct your data in accordance with Art. 16 DSGVO.

– You have the right to demand the deletion of your personal data in accordance with Art. 17 DSGVO and § 35 BDSG.

– You have the right to have the processing of your personal data restricted in accordance with Art. 18 DSGVO.

– You have the right, in accordance with Art. 20 DSGVO, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and to transfer this data to another person responsible.

– If you have given us separate consent to data processing, you may revoke this consent at any time in accordance with Art. 7 (3) DSGVO. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.

– If you are of the opinion that the processing of your personal data violates the provisions of the DSGVO, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 DSGVO.

8. Right of Objection

In accordance with Art. 21 (1) DSGVO, you have the right to object to data processing based on the legal basis of Art. 6 (1) e) or f) DSGVO on grounds relating to your personal situation. If we process personal data about you for the purpose of direct marketing, you may object to this processing pursuant to Art. 21 (2) and (3) DSGVO.

9. Data Protection Officer

You can reach our data protection officer at the following contact details:

[email protected]

Patrik Veltins, Watershed e.V., Arndstr. 12, 50676 Cologne, Germany

Watershed e.V. operates websites and social media pages through which we reach out to our members, donors, applicants, volunteers and other interested parties.

When you use our website, we collect information that you provide. In addition, during your visit to the website, we automatically collect certain information about your use of the website. In data protection law, the IP address is also considered to be a personal data. An IP address is assigned to every device connected to the internet by the internet provider so that it can send and receive data.

1. Webhosting and Processing of Server Log Files

To operate our website, we use the provider Hetner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, on whose server our Internet pages are stored and made available for retrieval on the Internet (hosting). During the purely informative use of our website, Hetzner first automatically (i.e. not via registration) stores general information that your browser transmits to our server. This includes by default: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code. The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) (f) DSGVO. This processing serves the technical administration and security of the website. The stored data is deleted after seven days, unless there is a justified suspicion of unlawful use based on concrete indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject from the stored information. Articles 15 to 22 of the Data Protection Regulation therefore do not apply pursuant to Article 11 (2) of the Data Protection Regulation, unless you provide additional information that enables you to be identified in order to exercise your rights set out in these articles. Users can find further information on data protection at Hetzner in Hetzner’s data protection information: https://www.hetzner.de/rechtliches/datenschutz

2. Contact Possibilities and Enquiries

If you send us a mail via the contact e-mail provided, we will process the transmitted data for the purpose of answering your enquiry. If your request is directed towards the conclusion or performance of a contract with us, Art. 6 (1) (b) DSGVO is the legal basis for the data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting the person making the enquiry. The legal basis for data processing is then Art. 6 (1) (f) DSGVO.

3. Cookies

We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit one of our websites. This identifies the browser used and can be recognised by web servers. You have full control over the use of cookies through your browser. You can delete the cookies in the security settings of your browser at any time or object to the use of cookies through your browser settings in principle or for certain cases. Further information on this is available from the Federal Office for Information Security: https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html.

The use of cookies is partly technically necessary for the operation of our website and is therefore permitted without the user’s consent. In addition, we may use cookies to offer special functions and content as well as for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third party cookies). We only use such technically unnecessary cookies with your consent in accordance with Section 15 (3) TMG or Article 6 (1) a DSGVO. You can find information about the purposes, providers, technologies used, stored data and the storage period of individual cookies in the settings of our consent management tool.

4. Consent Management

This website uses a consent management banner to control cookies. The consent banner enables users of our website to give consent to certain data processing procedures or to revoke a given consent. By confirming the “I accept” button or by saving individual cookie settings, you consent to the use of the associated cookies. The legal basis under data protection law is your consent within the meaning of Art. 6 (1) a) DSGVO.

In addition, the banner helps us to provide proof of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data about this declaration. Cookies are also used to collect this data.

The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 para. 1 lit. c) in conjunction with Art. 7 para. 1 DSG). Art. 7 para. 1 DSGVO).

In line with the ePrivacy Directive, you can view the history of consents, change or revoke consents.

5. Google Analytics

We use the Google Analytics service of Google Ireland Limited (Ireland/EU) for the needs-based configuration and ongoing optimisation of our website. The service uses cookies that enable an analysis of your use of our website. This involves the processing of personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website. Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In doing so, the processed data may be used to create user profiles, which we may link to data we have received via our contact form. We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. We use the Google Universal Analytics variant. This enables us to assign interaction data from different devices and from different sessions to a unique user ID. This allows us to contextualise and analyse individual user actions.

Google Analytics is only used with your consent in accordance with Section 15 (3) TMG or Article 6 (1) a DSGVO.

In the case of Google services, the transmission of data to Google Inc. in the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”. Users can find further information on data protection at Google in Google’s data protection information: https://www.google.com/policies/privacy

6. Google Ads and Google Tags Manager

We use the marketing service Google Ads Conversions or Google Tags Manager of Google Ireland Limited (Ireland/EU). Google Ads allows us to place ads relevant to users on the Google advertising network (e.g. in search results, or on other websites), improve campaign performance reports and avoid serving ads to a user more than once. Each Ads client sets a different conversion cookie. These cookies cannot therefore be tracked across the websites of different Ads clients. A cookie ID is used to record which ads are played in which browser. In this way, multiple display of the same campaign can be prevented. In addition, cookie IDs can be used to record so-called conversions, i.e. whether a user sees an ad and later visits the advertiser’s website and makes a purchase there.

Google marketing services are only used with your consent in accordance with Section 15 (3) of the German Telemedia Act (TMG) or Article 6 (1) a of the German Data Protection Act (DSGVO).

In the case of Google services, the transmission of data to Google Inc. in the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”. Users can find further information on data protection at Google in Google’s privacy policy: https://www.google.com/policies/privacy.

7. Google Maps

We use the service Google Maps Google Ireland Limited (Ireland/EU) on our website and on our social media channels to display map views. For such an integration, the processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Google. Google also processes further analysis data on its own responsibility, which serves to optimise its services.

When integrating Google Maps, we therefore use a two-click solution. When using the two-click solution, no connection to Google is established at first, but a placeholder is loaded from our own server. This can be a preview image of the integrated maps or videos. A contact to the “third-party server” is only established after a further click on the respective placeholder. The transmission of the IP address and the setting of cookies therefore only takes place when you confirm this with your click.

The data processing is carried out with your consent in accordance with § 15 para. 3 TMG or Art. 6 para. 1 letter a DSGVO.

In the case of Google services, the transmission of data to Google Inc. in the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”. Users can find further information on data protection at Google in Google’s data protection information: https://www.google.com/policies/privacy.

8. Paypal

Your donation can be processed by the payment service provider PayPal (Europe) S.à.r.l. et Cie., S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. In this process, Paypal processes personal data, including name, address or bank data such as account/credit card number, passwords, TANs, verification numbers as well as details of the concluded contract and details of the recipient of the payment. Only Paypal collects and processes this personal information. We do not receive any information about your account or credit card details at any time. We are informed by Papypal whether the payment from our donors has been received, we receive your email address and, if applicable, your address for the creation of a donation receipt. How we process your data in connection with your donation can be found further down on this page.

Currently we only link to our paypal account but if we would use the Paypal plugin on our website it will be controlled by our Consent Management. The cookies are therefore set with your consent in accordance with § 15 para. 3 TMG or Art. 6 para. 1 letter a DSGVO. You can find more information about Paypal’s data protection at https://www.paypal.com/de/webapps/mpp/ua/privacy-full#.

9. Google Web Fonts

In order to display our content correctly and in a graphically appealing manner across browsers, we use “Google Web Fonts” from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”) to display fonts on our website.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/.

We are represented on several social media platforms with a company page. Through this, we aim to provide further opportunities for information about our organisation and for interaction.

When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile used also regularly constitutes personal data. This includes messages and statements made using the profile. In addition, during your visit to a social media profile, certain information is often automatically collected about it, which may also constitute personal data.

1. Visiting a social media page

a. Facebook and Instagram

When you visit our Facebook or Instagram page, through which we present our organisation services, certain information about you is processed. The sole controller of this processing of personal data is Facebook Ireland Ltd (Ireland/EU – “Facebook”). Further information about the processing of personal data by Facebook can be found at https://www.facebook.com/privacy/explanation. Facebook offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.

Facebook provides us with anonymised statistics and insights for our Facebook and Instagram page, which help us gain knowledge about the types of actions people take on our page (so-called “page insights”). These page insights are created based on certain information about individuals who have visited our page. This processing of personal data is carried out by Facebook and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site and to improve our site based on these insights.

The legal basis for this processing is Article 6(1)(f) DSGVO. We cannot attribute the information obtained via Page Insights to individual Facebook profiles that interact with our Facebook page. We have entered into a joint controller agreement with Facebook which sets out the allocation of data protection obligations between us and Facebook. Details of the processing of personal data to create Page Insights and the agreement entered into between us and Facebook can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. In relation to this data processing, you have the possibility to assert your data subject rights (see “Your rights”) also against Facebook. Further information on this can be found in Facebook’s privacy policy at https://www.facebook.com/privacy/explanation.

Please note that according to the Facebook privacy policy, user data is also processed in the USA or other third countries. Facebook only transfers user data to countries for which the European Commission has issued an adequacy decision in accordance with Article 45 of the DSGVO or on the basis of appropriate guarantees in accordance with Article 46 of the DSGVO.

b. LinkedIn

LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is the sole responsible party for the processing of personal data when you visit our LinkedIn page. Further information about the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

When you visit, follow or engage with our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights. This provides us with insights into the types of actions that people take on our site (so-called page insights). For this purpose, LinkedIn processes in particular data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to the aggregated Page Insights. It is also not possible for us to draw conclusions about individual members using the information in the Page Insights. This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our LinkedIn company page and to improve our company page based on these insights. The legal basis for this processing is Article 6(1)(f) DSGVO. We have entered into a joint controller agreement with LinkedIn which sets out the allocation of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. Thereafter, the following applies:

Please note that in accordance with LinkedIn’s privacy policy, personal data may also be processed by LinkedIn in the US or other third countries. LinkedIn will only transfer personal data to countries for which an adequacy decision has been issued by the European Commission in accordance with Article 45 of the DSGVO or on the basis of appropriate safeguards in accordance with Article 46 of the DSGVO.

c. Twitter

For the processing of personal data when visiting our Twitter profile, Twitter Inc. (USA) is the sole responsible party. Further information about the processing of personal data by Twitter Inc. can be found at https://twitter.com/de/privacy.

2. Comments and Messages

We also process information that you have provided to us via our company page on the relevant social media platform. Such information may be the username used, contact details or a message sent to us. These processing operations are carried out by us as the sole data controller. We process this data on the basis of our legitimate interest to get in contact with inquiring persons. The legal basis for the data processing is Art. 6 para. 1 letter f DSGVO. Further data processing may take place if you have consented (Art. 6 para. 1 lit. a DSGVO) or if this is necessary for the fulfilment of a legal obligation (Art. 6 para. 1 lit. c DSGVO).