Privacy policy pursuant to Section 13 and 14 GDPR

Protecting personal data is an important concern for the Bundeswehr Cyber Innovation Hub (CIHBw), an innovation unit of BWI GmbH (BWI). We operate the websites accessible through cyberinnovationhub.de in full compliance with the relevant laws on data privacy and security, in particular, the European General Data Protection Regulation (GDPR) and the German federal data protection act (Bundesdatenschutzgesetz, BDSG). We have implemented appropriate technical and organisational measures to ensure that we and all external suppliers with whom we work comply with all data protection legislation.

The following provisions govern which information, including personal data, we process during your visit and use of our website.

Name and address of the data controller

The data controller responsible for the processing of personal data is

BWI GmbH
Auf dem Steinbüchel 22
53340 Meckenheim

info@bwi.de

Every mention of ‘we’ or ‘us’ in the present privacy policy refers to the aforementioned organisation.

Our data protection officer can be contacted using the following details:

BWI GmbH
Auf dem Steinbüchel 22
53340 Meckenheim
Telephone: +49 (0)2225 988 14529
datenschutzbeauftragter@bwi.de

 

Scope of data processing

You can visit our website without leaving any information about your person, such as your name, postal address or email address. Nonetheless, we must process certain information, such as technically required cookies, in order to facilitate your access to our website; you can find out more about this in the sections below.

We only use your data for the express purpose for which you have made them available to us, for example, to respond to your inquiries. You can withdraw your consent to the processing of your data at any time with future effect.

 

Data storage period and deletion

We will delete your personal data as soon as we no longer need them for purpose for which they are being processed or at a point when their storage is no longer legal. An exception is made when there is a legal requirement to retain the data. We will also delete your data if you withdraw your consent. The following list of reasons for processing your data also contains information about their storage period in each scenario.

 

Use of cookies

We use cookies on our website in order to make our online presence as user-friendly as possible. Any data collected through cookies are used for analysis purposes and for ensuring that our website meets the needs of its users. The data collected in this way are pseudonymised through technical measures. This makes it impossible to match a data set to any specific user. These data are not stored together with any other personal user data, and they are not used to create user profiles.

What are cookies?

Cookies are small text files which our website stores on your computer. They are automatically saved in the cookie folder of your browser. Cookies save certain user data, such as the language of your browser or personal website settings. When you visit our website again, your browser sends these user information back to our website.

 Types of cookies

There are session cookies and third-party cookies. Each cookie type contains different data and has a different expiry period. Session cookies, for example, are deleted after every completed internet session, i.e., when you close your browser. The following section contains an overview of the cookies we use on our website, their purpose, expiry period and the legal basis for their use.

  • Technically required cookies
    Required cookies are necessary to ensure basic functions of our website. They are needed for the website navigation to work, for instance. These cookies are used on the basis of Section 6 Subsection 1(f) GDPR in conjunction with Section 15 Subsection 1 of the German telemedia act (Telemediengesetz, TMG). It is not necessary to obtain the user's consent to the use of such cookies.

Name

Purpose

Expiry

Type

Provider

CookieConsent

Saves your consent to the use of cookies.

1 year

HTML

BWI

fe_typo_user

Assigns your browser to a session on the server. This only affects the content you see and is not evaluated or processed further.

Session

HTTP

BWI

  •  
  •  

  • Analysis cookies 
    Analysis cookies help us understand what users do on our website. We use them to determine the number of visits to a page, for example, and analyse user behaviour through anonymous, pseudonymised information. This analysis allows us to improve the quality of our website and its content and optimise our online presence continuously. We are not able to identify any individuals directly. These cookies are used on the basis of Section 6 Subsection 1(a) GDPR.

  •  

Name

Purpose

Expiry

Type

Provider

pk_id

This cookie unequivocally matches all activities of one user with a specific user ID. The ID is randomly generated during a user's first visit to our website and does not allow us to identify the individual.

1 year

HTML

Matomo

pk_ref

This cookie contains information about the referrer (source) from which a user accessed our website. It allows us to evaluate how the use of our website differs by referrer.

6 months

HTML

Matomo

pk_ses

This cookie unequivocally links user IDs with session IDs.

30 minutes

HTML

Matomo

pk_cvar

This cookie transmits user-defined variables.

30 minutes

HTML

Matomo

pk_hsr

This cookie transfers information about the use of heatmaps; it is optional.

30 minutes

HTML

Matomo

 

Deletion of cookies

When you visit our website for the first time, you will be asked which type of cookie you wish to accept, with the exception of required cookies. Your selection will be stored in an opt-in cookie for a year or until it is deleted from your browser. You can also set your browser to inform you when cookies are placed. Through your browser settings, you can automatically reject the placement of all cookies or individual cookies. If you do not want us to recognise your device, please set your browser to delete cookies from your device, block them, or warn you when a cookie is being stored. To do so, please refer to the instructions for your browser. Please note that some functions of our website may no longer work properly or at all without cookies.

Server log files

When you visit our website, our hosting provider jweiland.net, Echterdinger Straße 57, 70794 Filderstadt, Germany, automatically and by our request stores user data in server log files, which your browser transfers automatically. This act of data processing is carried out pursuant to Section 6 Subsection 1(f) GDPR. The data are collected by our web server operator in order to ensure the functioning and security of our website. Collected data include the IP address of the requesting computer, date and time of the request, accessed pages, and information about the applications and devices you are using to access our website (browser type, language, browser version, operating system). These data are deleted after 30 days at the latest. For more information, see this page.

Matomo web analysis service

On our website, we use the web analysis service Matomo (formerly Piwik) in order to gain anonymous, pseudonymised information that allows us to measure and analyse how visitors use our website. We use these data to expand and optimise our website. This act of data processing takes place on the basis of of Section 6 Subsection(a) GDPR. You can modify your cookie settings here.

Matomo uses cookies that are stored on your computer and facilitate an anonymised analysis of your use of the website. In addition to the anonymised IP address of the requesting computer, Matomo stores information about the date, time and duration of your visit, accessed pages, and the applications and devices you are using to access our website (browser type, language, browser version, operating system).

Your IP address is immediately anonymised after collection and prior to storage, so that we cannot identify you. In concrete terms, ‘anonymised’ means that the IP address is not stored in full but partially masked (an Ipv4 address would look like this, for example: 192.168.xxx.xxx). A partially masked IP address cannot be matched with a specific device.

By changing the settings of your browser, you can deactivate or limit the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can be done automatically, too. When you use such a ‘do-not-track’ option in your browser (also called ‘incognito mode’), it tells websites not to track your activities. Matomo respects this option.

Matomo is only used on the servers of our hosting provider, jweiland.net, Echterdinger Straße 57, 70794 Filderstadt, Germany. The aforementioned data are only stored on their servers and not shared with any third parties. Your data are deleted as soon as we no longer need them for our own recording purposes, normally after twelve months.

 

Social-media plug-ins

Some pages of our website contain buttons to social-media networks, which allow you to share our content. These buttons only establish contact between the user and the social network in question when you actively click them (one-click solution). By activating a social-media plug-in or icon, data such as your IP address, browser information, operating system and the URL of the current website may be transferred to the respective social-media provider. Please consult the privacy policies of the individual social-media platforms to find out to what extent, for what purpose and on what legal basis your data may be processed. The following section provides and overview of the social-media plug-ins integrated into our website.

YouTube plug-in

Our website uses the plug-in of YouTube/Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. It allows us to embed videos in our website. The plug-in was implemented into our website with data privacy in mind. Users only establish a connection to YouTube when they activate the corresponding cookie by giving their consent. If you give your consent, a connection will be established between your browser and the YouTube servers. We cannot influence whether or not these providers comply with data protection laws. We do not know to what extent, in what location and for what duration the data are stored, if the networks comply with deletion requirements, how the data are evaluated and connected, and with whom the data are shared. For more information, see the privacy policy of YouTube.

Spotify plug-in

Our website uses the plug-in of Spotify/Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. It allows us to embed podcasts in our website. The plug-in was implemented into our website with data privacy in mind. Users only establish a connection to Spotify when they activate the corresponding cookie by giving their consent. If you give your consent, a connection will be established between your browser and the Spotify servers. We cannot influence whether or not these providers comply with data protection laws. We do not know to what extent, in what location and for what duration the data are stored, if the networks comply with deletion requirements, how the data are evaluated and connected, and with whom the data are shared. For more information, see the privacy policy of Spotify.

Twitter share button

Our website uses the share button of Twitter/Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA. You can identify the button by the Twitter logo (stylised bird). The share button allows users to share an article, page or piece of content from our website on Twitter. The buttons were implemented into our website with data privacy in mind. Users only establish a connection to Twitter when activating one of the buttons with a click. If you click a button, a connection will be established between your browser and the Twitter servers. We have no influence on the extent of data collected by Twitter and only make you aware of this process on the basis of the information available to us. For more information, see the privacy policy of Twitter.

LinkedIn share button

Our website uses the share button of LinkedIn/LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. You can identify the button by the LinkedIn logo (white ‘in’ on a background). The share button allows users to share an article, page or piece of content from our website on LinkedIn. The buttons were implemented into our website with data privacy in mind. Users only establish a connection to LinkedIn when activating one of the buttons with a click. If you click a button, a connection will be established between your browser and the LinkedIn servers. The content of the share button is directly transferred to your browser from LinkedIn. This means that LinkedIn will be informed that you have visited this website. We do not have any knowledge about nor influence over the content of that data transfer and the purpose of the data processing. Click here for more information about data processing and the privacy settings of your LinkedIn profile.

Facebook share button

Our website uses the share button of Facebook/Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. If you are a permanent resident of the European Union, your relevant service provider will be Facebook Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland. The share button displays the Facebook logo (white ‘f’ on a background). The share button allows users to share an article, page or piece of content from our website on Facebook. The buttons were implemented into our website with data privacy in mind. Users only establish a connection to Facebook when activating one of the buttons with a click. If you click a button, a connection will be established between your browser and the Facebook servers. As far as we are aware, the following data are transferred to Facebook:

  • Date and time of your visit
  • Accessed pages
  • IP address
  • Browser type
  • Operating system
  • User ID (if you are a registered Facebook user)

We have no influence over which data Facebook collects, uses or stores. Please consult the privacy policy and cookie guidelines of Facebook.

 

Contacting us

When you contact us by email, the personal data submitted along with your email will be used to respond to your inquiry. No data will be passed on to third parties. This act of data processing is carried out pursuant to Section 6 Subsection 1(f) GDPR. If you email us in order to enter into a contract, Section 6 Subsection 1(b) GDPR also applies. Your data will be deleted as soon as we have conclusively responded to your inquiry and there are no legal requirements prevents us from deleting them, as would be the case when the communication results in the conclusion of a contract, for instance. You can withdraw your consent to the processing of your data at any time. If you do, we will not be able to continue the conversation.

 

Data security

Our website uses the TSL (Transport Layer Security) process in conjunction with the highest level of encryption supported by your browser. Normally, this will be 256-bit encryption. If your browser does not support this, we will use 128-bit encryption instead. To determine whether a specific page of our website is encrypted, check for the padlock symbol in your browser’s address bar.

 

Recipients of personal data

Your personal data are only processed within our company. Only specific departments have access to your data, depending on the type of personal data and the purpose of their processing. They include the specialist departments responsible for our online presence and our IT department. We operate a role-based access control system to restrict data access to the functions and scope necessary for processing the data.

To the extent permitted by law, we are allowed to pass your personal data on to third parties outside of our company. Such external recipients may include, in particular:

  • service providers who work for us on the basis of a separate contract and whose services may the processing of personal data, such as hosting or maintenance providers, and any sub-contractors of our service providers which have been involved in the process with our consent,
  • service providers who have been contracted in relation to our newsletter, such as CleverReach GmbH, Schafjückenweg 2 26180 Rastede, and the sub-contractors Amazon Web Services Inc.*, Hetzner Online GmbH and PlusServer GmbH.

*Third countries, especially the USA, may not have the same standards of data protection upheld in the European Union. This may lead to disadvantages such as difficulties in exercising the rights of the data subject, lack of control over the further processing and transfer of data, and data access by public bodies, especially US governmental authorities, without any legal remedies being available to those affected.

  • non-public and public bodies in cases where we are legally obliged to transfer your personal data, e.g., for the purpose of legal or criminal prosecution.

 

Data transfer to third countries

Your personal data are always processed inside the European Union (EU) or the European Economic Area (EEA). They may be transferred to recipients in third countries only in cases where web analysis service providers are involved. Third countries are countries outside the European Union or outside the Agreement on the European Economic Area which may not necessarily adhere to standards of data protection comparable to those of the European Union.

Where the submitted data include personal data, we ensure that the third country or third-country recipient in question adhere to the required standards of data protection before transferring any data. The adequacy of data protection standards in a third country may be confirmed by a decision from the European Commission. Alternatively, we may rely on standard contractual clauses agreed between a recipient and the European Union; in individual cases, we will verify whether these clauses ensure adequate protection in consideration of the laws of the third country in question. Where necessary, we will take additional measures to ensure an appropriate level of protection. In exceptional cases, the transfer of personal data may be justified in terms of informed consent. We will be happy to provide you with further information about the suitable and adequate guarantees in place to ensure compliance with an appropriate level of data protection upon request. You can find our contact data at the start of this privacy policy.

 

Obligation to provide personal data

There is no legal or contractual obligation to provide personal data. No personal data are needed to enter into a contract. If you choose not to provide any personal data, certain functions of this website may not be available in full, and you may be unable to subscribe to our newsletter.

 

Automated decision-making

We do not use any automated decision-making processes, including profiling as defined in Section 22 GDPR, in relation to the operation of our website. If we use any such processes in individual instances in future, we will inform you about this to the extent required by law.

 

Rights of the data subject

Anyone whose personal data is being processed is a data subject as defined by the GDPR. This gives you the following rights against the data controller, provided that all legal requirements are met.

  • Right of access: As per Section 15 GDPR, you have right to access any personal data concerning you that we have processed.
  • Right to rectification: As per Section 16 GDPR, you have the right to obtain from us without undue delay the rectification of inaccurate or incomplete personal data concerning you.
  • Right to erasure: As per Section 17 GDPR, you have the right to obtain from us the erasure of personal data concerning you, provided that their processing is not required for compliance with a legal obligation or for the assertion, exercise or defence of any legal claims.
  • Right to restriction of processing: As per section 18 GDPR, you have the right to obtain from us restriction of processing in cases where you contest the accuracy of your personal data, they have been processed unlawfully, or we no longer require the data in question.
  •  
  • Right to data portability: As per Section 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format or have those data transmitted to another controller.
  • Right to withdrawal of consent: As per Section 7 Subsection 3 Sentence 1 GDPR, you  have the right to withdraw your consent at any time If you withdraw your consent, we will no longer be permitted to perform the acts of data processing relying on your consent. Withdrawal does not affect the lawfulness of any acts of processing carried out prior to withdrawal.
  • Right to lodge a complaint with a supervisory authority: As per Section 77 GDPR, you have the right to lodge a complaint with a supervisory authority.

To exercise this right, you may contact us using the information provided at the beginning of this privacy policy. If you have questions about the processing of your personal data, you may also contact our data protection officer. If you believe that the processing of your data violates data protection laws or infringes on your data protection rights in any other way, you can also contact the  Federal Commissioner for Data Protection and Freedom of Information.

Right to object

  • As per Section 21 DSGVO, you  have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.

     

    Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

To exercise the aforementioned rights, please contact the data controller by post to the address provided above or by email to bwi.fp.Datenschutz-Governor@bwi.de. You will not incur any charges when exercising the aforementioned rights.

Protection of minors

Persons under the age of 18 should not transmit any personal data to us without consent from their parent or legal guardian. We do not request personal data from children or adolescents. We do not knowingly collect such data nor transmit them to third parties.

 

Links to websites of third-party providers

Our website contains links to websites operated by other providers. We do not have any influence on the extent, purposes and legal basis of any acts of data processing carried out by third parties. Please consult the privacy policies of the providers in question for further information.

 

Questions, comments, amendments

We will respond to all legitimate requests for access, rectification, completion or erasure of personal data. To submit such a request or any questions or comments about this privacy policy, you can click ‘Contact’ to send us your questions and comments or use the communication channels described above.

 

Currency and amendments to this privacy policy

This privacy policy is valid as of 29 July 2021.

As we expand our website and implement new technologies and as legal and official regulations change, we may be required to amend our privacy policy. We recommend that you check for updates regularly.

 

LinkedIn X Instagram Youtube