Privacy Policy

In the following, we inform you about the processing of personal data by our company in accordance with the legal requirements – in particular the EU General Data Protection Regulation (GDPR, available here).

I. General information

In this section of the data protection declaration, you will find information on the scope of application, the data controller, its data protection officer and data security. In addition, we explain in advance the meaning of important terms used in the data protection declaration.

1. important terms

Browser: Computer programme for displaying websites (e.g. Chrome, Firefox, Safari).

Cookies: Text files that the accessed web server places on the user’s computer by means of the browser used. The stored cookie information can contain both an identifier (cookie ID), which is used for recognition, and content data such as login status or information about visited websites. The browser sends the cookie information back to the web server with each request during subsequent, new visits to this page. Most browsers accept cookies automatically.

Third countries: Countries outside the European Union (EU)

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), available here.

Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Profiling: any type of automated processing of personal data consisting in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

Services: Our offerings to which this Privacy Policy applies (see Scope).

Tracking: The collection and analysis of data relating to the behaviour of visitors to our services.

Tracking technologies: Tracking can take place both via the activity logs stored on our web servers (log files) and by means of data collection from your terminal device via pixels, cookies and similar tracking technologies.

Processing: any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pixel: Pixels are also called tracking pixels, web beacons or web bugs. They are small, invisible graphics in HTML emails or on web pages. When a document is opened, this small image is loaded from a server on the Internet, and the download is registered there. In this way, the operator of the server can see if and when an e-mail has been opened or a website visited. Mostly, this function is realised by calling a small programme (Javascript). In this way, certain types of information on your computer system can be recognised and passed on, such as the content of cookies, the time and date of the page call and a description of the page on which the tracking pixel is located.

2. scope of application

This privacy policy applies to the following offers:

  • whenever otherwise referred to in any of our offerings (e.g. websites, subdomains, mobile applications, web services or third-party integrations), regardless of the way you access or use it.

All these offers are also referred to collectively as “services”.

3. data controller

The data controller – the person who determines the purposes and means of the processing of personal data – in connection with the Services is:

C3 Creative Code and Content GmbH
Heiligegeistkirchplatz 1
10748, Berlin

4. data protection officer

Contact our data protection officer:
Data protection request form

Or via the address mentioned under I.3 (for the attention of the Data Protection Department) or via:
Phone:+49 (0) 30 44 032 0

II. Data processing in detail

In this section of the privacy policy, we inform you in detail about the processing of personal data within the scope of our services. For the sake of clarity, we structure this information according to certain functionalities of our services. During the normal use of the services, different functionalities and thus also different processing operations may take effect one after the other or at the same time.

1. general information on data processing

Unless otherwise stated, the following applies to all processing operations described below:

a) No obligation to provide & consequences of non-provision

The provision of personal data is not required by law or contract and you are not obliged to provide data. We will inform you during the input process if the provision of personal data is required for the respective service (e.g. by designating it as a “mandatory field”). In the case of required data, failure to provide it will mean that the service in question cannot be provided. Otherwise, failure to provide the data may mean that we are unable to provide our services in the same form and quality.

b) Consent

In various cases, you have the option of also giving us your consent (where applicable for part of the data) to further processing in connection with the processing described below. In this case, we will inform you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of the consent and about the purposes we pursue with these processing operations. The processing operations based on your consent are therefore not listed again here (Art. 13 Para.4 GDPR).

c) Transfer of personal data to third countries

If we transfer data to third countries, i.e. countries outside the European Union, then the transfer takes place exclusively in compliance with the legally regulated permissibility requirements.

If the transfer of data to a third country is not for the purpose of fulfilling our contract with you, we do not have your consent, the transfer is not necessary for the assertion, exercise or defence of legal claims and no other exemption under Article 49 of the GDPR applies, we will only transfer your data to a third country if an adequacy decision under Article 45 of the GDPR or appropriate safeguards under Article 46 of the GDPR are in place.

By concluding the EU standard data protection clauses issued by the European Commission with the receiving entity, we fulfil the requirements for verification with regard to appropriate safeguards pursuant to Art. 46 para. 2 lit. c) GDPR, as well as with regard to an adequate level of data protection in the third country. Copies of the EU standard data protection clauses are available on the website of the European Commission, available here.

d) Hosting with external service providers

Our data processing is carried out to a large extent using so-called hosting service providers, who provide us with storage space and processing capacity in their data centres and also process personal data on our behalf in accordance with our instructions. Personal data may be transferred to hosting service providers for all of the functionalities mentioned below. These service providers either process data exclusively in the EU or we have guaranteed an adequate level of data protection by means of the EU standard data protection clauses (see under c.).

e) Transfer to state authorities

We transfer personal data to state authorities (including law enforcement authorities) if this is necessary for the fulfilment of a legal obligation to which we are subject (legal basis: Art. 6(1)(c) GDPR) or if it is necessary for the assertion, exercise or defence of legal claims (legal basis Art. 6(1)(f) GDPR).

f) Storage period

The “Storage period” section indicates in each case how long we will use the data for the respective processing purpose. After this period has expired, the data will no longer be processed by us, but will be deleted at regular intervals, unless continued processing and storage is provided for by law (in particular because it is necessary for the fulfilment of a legal obligation or for the assertion, exercise or defence of legal claims) or you give us consent that goes beyond this.

g) Functional duration of cookies

Some of the data processing described in the following sections is carried out with the aid of cookies. The information stored in a cookie can only be accessed via the Internet by the operator of the web server that originally set the cookie. Access by third parties in this way is not possible. Cookies have different functional durations. Some cookies are only active during a browser session and are deleted afterwards, others function for longer periods of time, but usually shorter than one year. After the functional duration has expired, a cookie is deleted by the browser. You can manage cookies using the browser functions (mostly under “Options” or “Settings”). This allows the storage of cookies to be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.

h) Data category designations

In the next sections, the following summary category designations are used for certain types of data:

  • Account Data: Login/user ID and password
  • Personal data: Title, salutation/gender, first name, last name, date of birth.
  • Address data: street, house number, address additions if applicable, postcode, city, country
  • Contact data: Telephone number(s), fax number(s), e-mail address(es).
  • Registration data: Information on the service through which you have registered; times and technical information on registration, confirmation and deregistration; data provided by you when registering.
  • Press distribution list usage data: Accreditation topic, accreditation time, agreement to restriction of use/declaration of consent, downloads of press materials.
  • Usage profile data Newsletter: opening of the newsletter (date and time), contents, selected links, also the following information of the accessing computer system: internet protocol address (IP address) used, browser type and version, device type, operating system and similar technical information.
  • Access data: Date and time of the visit to our service; the page from which the accessing system accessed our site; pages called up during use; data for session identification (session ID); also the following information of the accessing computer system: Internet protocol address (IP address) used, browser type and version, device type, operating system and similar technical information.

i) Data collection from public sources

We collect personal data from publicly available sources. Publicly accessible sources include, in particular, publicly accessible websites, all public directories available to the general public (telephone number and similar directories) and public registers, even if they may require a login (e.g. commercial registers).

We process all categories of data that are stored in publicly accessible sources. This may include, for example, personal master data, address data, contact data, payment data, order data, as well as all other data categories, such as interests, preferences, affinities and the like.

The data is collected for the purpose of fulfilling the principle of accuracy according to Art. 5 (1) (d) GDPR, if applicable, for the purpose of contract performance according to Art. 6 (1) (b) GDPR, if applicable, for the purpose of law enforcement and debt collection according to Art. 6 (1) (b) and (f) GDPR, as well as for the purpose of direct advertising that is as interest-oriented as possible according to Art. 6 (1) (f) GDPR in connection with Recital 46 GDPR.

2. Accessing our services

Below we describe how your personal data is processed when you access our Services (e.g. loading and viewing the website, opening and navigating within the mobile device app). In addition, we use technically or legally necessary auxiliary tools that do not collect any data themselves (such as a tag manager), but only serve to ensure the security of the website, the administration and operation of other tools or the administration of consents granted by you (Consent Management Platform). In particular, we would like to point out that the transmission of access data to external content providers (see under b.) is unavoidable due to the technical functioning of the transmission of information on the Internet. The third-party providers are themselves responsible for the data protection-compliant operation of the IT systems they use. The decision on the storage period of the data is the responsibility of the service providers.

a) Purpose of the data processing and legal basis as well as legitimate interests, if applicable, storage period.

Data category:

Purpose: Access data

Connection establishment; display of the contents of the service; detection of attacks on our site based on unusual activities; error diagnosis.

Legal basis:

Art. 6 para. 1 lit. f) GDPR

Legitimate interest pursued by us:

Proper functioning of the Services; Security of data and business processes; Prevention of misuse; Prevention of damage due to interference with information systems.

Storage period: 4 weeks

b) Recipients of the personal data

Recipient category:

External content providers who provide content (e.g. images, videos, embedded posts from social networks, advertising banners, fonts, update information, shortened links) that are necessary to display the service.

Data Concerned: Access data

Legal basis:

Art. 6 para. 1 lit. f) GDPR

Legitimate interest pursued by us:

Proper functioning of the Services; (accelerated) presentation of content.

Recipient category: IT security service provider

Data concerned: Access data

Legal basis:

Art. 6 para. 1 lit. f) GDPR

Legitimate interest pursued by us:

Prevention of attacks by exploiting security gaps / vulnerabilities.

3. contacting us via contact form

Below we describe how your personal data is processed when you contact us with enquiries.

Purpose of data processing and legal basis as well as legitimate interests, if applicable, storage period.

Data category: Personal master data; contact data; content of enquiries/complaints.

Purpose: Processing of enquiries

Legal basis: Art. 6(1)(b) and (f) GDPR.

Legitimate interest pursued by us: Improvement of our service

Storage period: Processing of the request

4. Tracking

Below we describe in which cases and how your personal data is processed using tracking technologies when you use our services.

What data is processed by tracking?

The tracking methods described only process personal data in pseudonymous form. A connection with a concrete, identified natural person, i.e. a combination of the data with information about the bearer of the pseudonym, does not take place.

Directly transmitted pseudonymous information such as the cookie ID or (possibly shortened) IP address is assigned further information during tracking. Typically, this is technical information about the end device used, information about usage behaviour on the Internet, interests and possibly location data.

How can you object to tracking?

The description of the tracking procedures also includes information on how you can prevent the data processing. Please note that this so-called “opt-out”, i.e. the refusal of processing, is partly stored via cookies. If you use our services via a new terminal device or in a different browser, or if you have deleted the cookies set by your browser, you may have to declare the rejection again.

What is the legal basis for tracking?

The use of tracking technologies can be based on various legal grounds, which we describe below. For which specific purpose and on the basis of which legal basis we carry out the tracking by a specific service in individual cases, we describe in the list below (see letters a) and b)).

  1. Legal basis Contract, Art. 6 (1) (b) GDPR If we provide services that are provided in connection with a contract, the tracking and the associated analysis of user behaviour may be carried out on the basis of the legal basis Art. 6 (1) (b) GDPR. The information obtained through this tracking is necessary in order to provide optimised services in accordance with the contractual purpose and to ensure the greatest possible benefit.
  2. Legal basis Legitimate Interest, Art. 6 (1) (f) GDPR Another possibility is that we carry out the tracking and the associated analysis of user behaviour on the basis of the legal basis Art. 6 (1) (f) GDPR, i.e. after weighing up the interests. In order to provide attractive services as efficiently as possible, we pursue the legitimate interest of analysing information obtained through tracking about user behaviour on our services. Tracking on the basis of the legal basis Art. 6 para. 1 lit. f) GDPR can in particular help us,
    • check the effectiveness of our services, optimise them and adapt them to the needs of the users as well as correct errors,
    • to statistically determine key data on the use of our services (reach, intensity of use, surfing behaviour of users) – on the basis of uniform standard procedures – and thus to obtain values that can be compared across the market,
    • to measure the success of advertising campaigns, to optimise our advertisements for the future and to enable marketers and advertisers to also optimise their advertisements accordingly
    • to enable a correct commission settlement for transactions,
    • to be able to show you optimised advertising and content that is tailored as closely as possible to your interests and thereby to market our services optimally and adapt them to the needs of users.However, we do not pursue any purposes on this basis for which the behaviour of data subjects on the Internet needs to be made traceable or user profiles need to be created.
  3. Legal basis Consent, Art. 6 (1) a) GDPR Finally, it is possible that we carry out tracking on the basis of your consent (Art. 6 (1) a) GDPR). Consent is voluntary. It is given, for example, by clicking the “OK” button on our services after a corresponding notice has been displayed. You can revoke this consent at any time.

a) Tracking technologies used
Matomo: Matomo is a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand.

Purpose of tracking: Matomo collects information on user behaviour in order to improve the user-friendliness of the website.

Processing of personal data: This website uses the Matomo service with the “AnonymizeIP” extension. This means that IP addresses are processed in abbreviated form, thus excluding the possibility of direct personal references.

Storage period or functional duration of the cookie: The processed data (IP address) is stored for a maximum of 90 days.

Legal basis: Consent (Art. 6 para. 1 a) GDPR).

Option to prevent processing (opt-out) Link

III. data subject rights

1. right of objection

If we process your personal data for the purpose of direct marketing, you have the right to object at any time with future effect to the processing of personal data relating to you for the purpose of such marketing; this also applies to profiling insofar as it is associated with such direct marketing.

You also have the right to object at any time with future effect to the processing of personal data concerning you which is carried out pursuant to Article 6(1)(e) or (f) GDPR on grounds relating to your particular situation; this also applies to profiling based on these provisions.

You can exercise your right of objection free of charge. In order to process your request more quickly, please prefer to use our form under the following link:
Data protection request form

Alternatively, you can reach us via the contact details mentioned under I.4, among others.

2. right of access

You have the right to request confirmation from us as to whether personal data relating to you is being processed and, if so, to obtain information about that personal data and the other information listed in Article 15 of the GDPR.

3. right of rectification

You have the right to request that we correct any inaccurate personal data relating to you without undue delay (Art. 16 GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.

4. right to erasure (“right to be forgotten”)

You have the right to demand that we erase personal data relating to you without delay, provided that one of the reasons set out in Article 17(1) of the GDPR applies and the processing is not necessary for one of the purposes regulated in Article 17(3) of the GDPR.

5. right to restriction of processing

You have the right to request a restriction in the processing of your personal data if one of the conditions regulated in Art. 18 (1) a) to d) GDPR is met.

6. right to data portability

Under the conditions set out in Art. 20(1) GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and the right to transfer this data to another controller without hindrance from us. When exercising the right to data portability, you have the right to obtain that the personal data be transferred directly from us to another controller, where this is technically feasible.

7. right of revocation in the case of consent

Insofar as the processing is based on your consent, you have the right to revoke your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

8. right of complaint

You have a right of appeal to the supervisory authority responsible for our company. The supervisory authority responsible for our company is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit, An der Urania 4-10, 10787 Berlin,