Read version in English below.

‍ ‍

Privacy Policy

•    for this website

•    for our Instagram profile

Privacy Policy for this website

I. Scope

As the data controller in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR), we hereby inform data subjects about how we handle personal data. This document has been in force since March 2026. It may be necessary to amend this document due to any future changes to data processing procedures or as a result of amended legal or regulatory requirements. The current version is always available at https://www.birthemacdonald.com/privacy.

II. Who is responsible for data processing?

The data controller, as defined in Article 4(7) of the GDPR, is:

Dr Birthe Macdonald, Am Berge 22, 31535 Neustadt am Rübenberge. You can view the full legal notice here: https://www.birthemacdonald.com/impressum

III. Is there a data protection officer?

We have not appointed a data protection officer for our company, as there is no legal obligation to do so.

IV. Why do we process your data?

IV.1. Log files / Hosting

If you visit our website without registering or otherwise providing us with information, we only collect the following data, which your browser transmits to our server (so-called ‘server log files’):

•    The individual pages of our website (URL)

•    Date and time of access

•    Amount of data transmitted in bytes

•    Source/referrer from which you accessed the page

•    Browser used

•    Operating system used

•    IP address used (in anonymised form where applicable)

Our website is hosted by a hosting provider and made available for access. The web server used stores the aforementioned server log files.

•    Purpose of processing: Hosting the website

•    Legal basis and legitimate interests: Processing is carried out on the basis of our overriding legitimate interest (Article 6(1)(f) of the GDPR) in the security and stability of our website by engaging a service provider to supply infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services

•    Data recipients: Squarespace Ireland Limited, Squarespace House, Ship Street Great, Dublin 8, D08N12C

Ireland, https://de.squarespace.com

•    Retention period: 7 days

IV.2. Cookies

IV.2.a. General

(aa) Definitions

Below you will find comprehensive information on so-called ‘cookies’ and other storage technologies (‘web storage’). This refers to information that is often stored in databases on your device. Any type of ‘cookie’ or ‘web storage’ may contain personal data. In many cases, however, the data is pseudonymised. The following terms may be used below:

•    First-party cookie: This cookie is stored or modified by the website you are currently browsing

•    Third-party cookie: This cookie is stored or modified by third parties with whom the website operator is associated (e.g. an advertising network, a social media platform, etc.)

•    Session cookie: This cookie is deleted from your device when you close your browser. Often, a session cookie only stores a session ID to associate multiple requests from a user on a single page with their session

•    Persistent cookie: This cookie is stored on your device until it expires or until you delete it manually or automatically in your browser

•    Strictly necessary: Without this cookie and web storage, the service you have requested cannot be provided

•    Optional: This cookie and web storage enable us to use additional features and are only used if you give your consent

•    Local storage: Forms part of what is known as ‘web storage’. This information is also stored in your web browser until it is manually deleted.

•    Session storage: This forms part of what is known as ‘web storage’. This information is also stored in your web browser until you close the browser window.

(bb) Legal basis

•    Strictly necessary cookies and web storage: The storage of information and access to it are based on the legal basis set out in Section 25(2)(2) of the TDDDG.

•    Optional cookies and web storage: The storage of information and access to it are based on the legal basis of your individual, personal and voluntary consent in accordance with Section 25(1) of the TDDDG in conjunction with Article 6(1)(a) of the GDPR. You may withdraw your consent at any time with future effect. Data processing up to the point of withdrawal remains lawful. Please note that if you do not accept optional cookies, certain functions of our website may be restricted.

(cc) Data recipients / Access

•    First-party cookies: Only we, as the data controller and website operator, have access to these.

•    Third-party cookies: Only the third party that set these cookies itself has access to them. For example, only Google has access to a cookie set by Google and can read or modify it.

•    Web storage: Only we, as the data controller and website operator, have access to this.

(dd) Retention period

•    Session cookies: These are stored temporarily in your browser until the end of the browsing session, or you can delete them beforehand.

•    Persistent cookies: These remain stored on your device for as long as specified for the respective cookie, or may be deleted by you beforehand.

•    Local storage: This remains stored until manually deleted.

•    Session storage: This remains stored until the browser window is closed.

The exact retention period is specified under ‘Cookies and web storage used’.

(ee) Deletion options / Objection

Please note that you can configure your browser to notify you when cookies are set, allowing you to decide on a case-by-case basis whether to accept them, or to block the acceptance of cookies in specific cases or generally. Each browser differs in the way it manages cookie settings. This is described in each browser’s help menu, which explains how you can change your cookie settings. You can find these for the respective browsers via the following links:

•    Google Chrome

•    Safari

•    Mozilla Firefox

•    Microsoft Edge

•    Opera

A general objection to the use of cookies for online marketing purposes can be lodged with a number of services, particularly in the case of tracking, via the US website https://www.aboutads.info/choices/ or the EU website https://www.youronlinechoices.com/.

IV.2.b. Cookies and web storage used

You can find out more about the cookies used by Squarespace via the following link: https://support.squarespace.com/hc/articles/360001264507#h_01HAYTB2HMZD0B6QFXQ9P52DD8

The cookies listed at the following link are technically necessary for the secure operation of the website:

https://support.squarespace.com/hc/articles/360001264507#h_01J2EGREGPNHSQHNZD5089GVBH

IV.3. Web fonts

Our website uses so-called web fonts, provided by the respective provider, to ensure a consistent display of typefaces. When you visit a page, your browser loads the required web fonts into its cache to display text and typefaces correctly.

To this end, the browser you are using must establish a connection to the respective provider’s servers. As a result, the provider becomes aware that our website has been accessed via your IP address. If your browser does not support web fonts, a standard font will be loaded from your computer.

•    Purpose of processing: Consistent presentation of our website across all media

•    Legal basis and legitimate interests: The integration is carried out on the basis of our legitimate interests (Article 6(1)(f) of the GDPR) in the technically secure, maintenance-free and efficient use of fonts, their consistent display, and taking into account any licensing restrictions on their integration.

We use web fonts from the following providers:

Google

•    Data recipients: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

•    Google’s privacy policy: https://policies.google.com/privacy

•    Transfers to third countries: Where non-anonymised data is transferred to Google LLC, data processing takes place in the USA.

•    Commission Adequacy Decision: With regard to data transfers to Google LLC, we rely on the decision of 10 July 2023 concerning the EU-US Privacy Shield Framework pursuant to Article 45 of the GDPR. The list of companies participating in the EU-US Privacy Shield Framework is available at https://www.dataprivacyframework.gov/

IV.4. Google reCAPTCHA

Our website uses Google reCAPTCHA, a service provided by Google Ireland Ltd. (Google), to protect our web forms against misuse and spam. The service monitors the user’s behaviour whilst filling in the web form in order to distinguish humans from bots. If a bot is detected, the web form is blocked, thereby preventing misuse. To do this, a piece of code embedded in the website – known as JavaScript – must be executed. No individual user input is required. No cookies are set for this purpose. Personal data is not stored by either the data controller or Google. So-called Google WebFonts are also loaded to enable the service to function.

•    Purposes of processing: Protection against misuse of web forms and spam

•    Legal basis: Processing is carried out in accordance with Article 6(1)(f) of the GDPR on the basis of our overriding legitimate interest in improving the security and functionality of our website.

•    Automated decision-making: Google calculates a score to distinguish between human input and malicious bot input. If the score does not reach a certain threshold, the request is classified as a bot input and the web form is not submitted. Should you be unable to submit the web form by mistake, there are several alternative ways to contact the data controller (e.g. by post, fax or email). This does not cause any significant inconvenience.

•    Retention period: We do not store any data in connection with this service.

•    Data recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

•    Google’s privacy policy: https://policies.google.com/privacy

•    Transfers to third countries: Where non-anonymised data is transferred to Google LLC, data processing takes place in the USA.

•    Commission Adequacy Decision: With regard to data transfers to Google LLC, we rely on the decision of 10 July 2023 concerning the EU-US Privacy Shield Framework pursuant to Article 45 of the GDPR. The list of companies participating in the EU-US Privacy Shield is available at https://www.dataprivacyframework.gov/

IV.5. Newsletter

We send out newsletters by email containing information about our company, our products, services, promotions and offers. The newsletter is sent out no more than once a month.

 

Double opt-in procedure: Subscription to our newsletter is generally carried out using a so-called double opt-in procedure. After subscribing, you will receive an email asking you to confirm your subscription. This confirmation is necessary to verify the accuracy of your email address. Subscriptions to the newsletter are logged so that we can provide evidence of the subscription process in accordance with legal requirements. This includes storing the time of subscription and confirmation, as well as the IP address.

•    Purpose of processing: Direct marketing, customer communication

•    Legal basis: By subscribing to our newsletter, the subscriber gives their consent (Art. 6(1)(a) GDPR).

•    Data recipient: Squarespace Ireland Limited, Squarespace House, Ship Street Great, Dublin 8, D08N12C

Ireland, https://de.squarespace.com

•    Right to withdraw consent/opt-out: You may unsubscribe from our newsletter at any time, i.e. withdraw your consent, by informing us via email (see above under ‘Data controller’) or by clicking on the link at the end of each newsletter. Withdrawal does not affect the lawfulness of processing carried out on the basis of your consent prior to withdrawal.

•    Obligation to provide data: To send you the newsletter, we require at least your valid email address. Otherwise, we cannot send it to you.

•    Retention period: Your data will be stored until you withdraw your consent. Thereafter, processing will be restricted and the data will be stored for up to three years in order to be able to provide evidence, in accordance with the law, of consent previously given. This is based on our legitimate interests (Article 6(1)(f) of the GDPR) in being able to demonstrate compliance with data protection regulations.

IV.6. Contacting us

When you contact us (e.g. via the contact form, email, telephone or fax), personal data is collected. The data collected when using the contact form is specified on the form itself. This data is stored and used solely for the purpose of responding to your enquiry or for establishing contact and the associated technical administration. We cannot process your enquiry without this mandatory information. All other details are provided on a voluntary basis.

•    Purpose of processing: To respond to your enquiry

•    Legal basis: Article 6(1)(b) of the GDPR for pre-contractual or contractual matters. Article 6(1)(a) of the GDPR for your voluntary details.

•    Recipients of the data: email service providers for emails; hosting providers for contact form enquiries

•    Retention period: Your data will be deleted once your enquiry has been fully processed. This is the case when the circumstances indicate that the matter in question has been conclusively resolved and provided that there are no statutory retention obligations to the contrary. In the case of pre-contractual and contractual matters, your enquiry will be stored until the contract ends and processing will then be restricted. If there is no longer a legal basis for storage, the data will be deleted.

IV.7. Data processing in connection with our prospective clients

•    Purpose of processing: As a prospective client, your contact details will be stored in our systems so that we can establish a business relationship with you. In doing so, we process both company data and the professional contact details of employees.

•    Legal basis: Article 6(1)(b) of the GDPR for pre-contractual or contractual matters. Article 6(1)(a) of the GDPR for information you provide voluntarily. We process the professional contact details of employees in companies in accordance with Article 6(1)(f) of the GDPR on the basis of our overriding legitimate interest in maintaining the business relationship.

•    Retention period: Prospective client data is stored for as long as it can be assumed that there is still an interest in working with us. If we assume that there is no longer any interest, we will delete the prospective client data.

IV.8. Data processing in connection with our customers, suppliers and other business partners

•    Purpose of processing: As a customer, supplier or other business partner, your contact details are stored in our systems so that we can manage our business relationship with you. In doing so, we process both company data and employees’ professional data.

•    Legal bases and legitimate interests: Article 6(1)(b) of the GDPR for pre-contractual or contractual matters. Article 6(1)(a) of the GDPR for information you provide voluntarily which is not strictly necessary for the performance of a contract. We process the professional contact details of employees in companies in accordance with Article 6(1)(f) of the GDPR on the basis of our overriding legitimate interest in maintaining the business relationship.

•    Recipients of the data: In the course of project implementation, your personal data will be disclosed to those project participants who are strictly necessary for the project’s completion.

•    Retention period: We will delete your data three years after the end of the business relationship, unless there is a legal basis for further processing (e.g. retention obligations).

IV.9. Ordering of services

IV.9.a. General

•    Purpose of processing: Fulfilment of your order.

•    Legal basis: Contract pursuant to Article 6(1)(b) of the GDPR. For data you have provided voluntarily, your consent pursuant to Article 6(1)(a) of the GDPR applies. For other processing activities, Article 6(1)(f) of the GDPR applies.

•    Legitimate interests: Debt collection and enforcement; measures for business management and the further development of services and products

•    Data recipients: Web host of the website (see above). Payment service provider, solicitor.

IV.9.b. Payment processing

•    Purpose of processing: Fulfilment of the order. Processing of the payment.

•    Legal basis: Contract pursuant to Article 6(1)(b) of the GDPR.

•    Obligation to provide data: Depending on the chosen payment method, you must provide us or the payment service provider with the necessary payment details.

•    Data recipients: Squarespace Ireland Limited, Squarespace House, Ship Street Great, Dublin 8, D08N12C

Ireland, https://de.squarespace.com. Depending on the payment service selected, personal data may also be transferred to the following data recipients:

•    Data recipients for payments made via Apple Pay: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA, https://www.apple.com/legal/privacy/

•    Data recipients for payments via Google Pay: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, https://policies.google.com/privacy

•            Data recipients for payments by credit card: American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium, Visa Europe Limited, 1 Sheldon Square, London, W2 6TT, United Kingdom

IV.9.c. Direct marketing

•    Purpose of processing: Direct marketing, sales promotion

•    Legal basis: Our overriding legitimate interest pursuant to Article 6(1)(f) of the GDPR

•    Legitimate interests: Direct marketing, sales promotion

•    Data recipients: Email providers, agencies, lettershop

IV.9.d. Legal Obligation

•    Purpose of processing: Fulfilment of legal obligations (e.g. obligations to provide information, notify, disclose and retain data; payment of taxes and duties)

•    Legal basis: The relevant statutory provision applies in conjunction with Article 6(1)(c) of the GDPR.

•    Data recipients: Public authorities, state institutions, solicitors, tax advisers, and, where applicable, the data protection officer

V. What data protection rights do I have?

1. As a data subject, you have the following rights:

•    Confirmation of data processing: You have the right to request confirmation from us as to whether your personal data is being processed. The conditions for this are set out in Article 15 of the GDPR;

•    Access: You have the right to request information about your personal data that we process. The conditions for this are set out in Article 15 of the GDPR;

•    Rectification: You have the right to request the rectification of inaccurate personal data concerning you without undue delay. The conditions for this are set out in Article 16 of the GDPR;

•    Erasure: You have the right to request the erasure of personal data concerning you without undue delay. The conditions for this are set out in Article 17 of the GDPR;

•    Restriction of processing: You have the right to request the restriction of the processing of your personal data. The conditions for this are set out in Article 18 of the GDPR;

•    Data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to have us transmit this data to another controller. The conditions for this are set out in Article 20 of the GDPR;

•    Withdrawal of consent: You have the right to withdraw your consent at any time if the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR. Data processing prior to withdrawal remains lawful. The withdrawal applies only to the future. The conditions for this can be found in Article 7(3) of the GDPR;

•    Lodging a complaint: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. The conditions for this are set out in Article 77 of the GDPR. You may contact the supervisory authority responsible for the controller or the one in your country or federal state. A list of all supervisory authorities can be found here: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

2. Right to object

•    You have the right, on grounds relating to your particular situation, to object at any time, with effect for the future, to the processing of personal data concerning you that we process on the basis of our overriding legitimate interest (Article 6(1)(e) or (f) of the GDPR); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

3. Right to object to the processing of data for the purposes of direct marketing and product reviews

•    We collect and process your personal data for the purposes of direct marketing. You have the right to object at any time to the processing of your personal data for the purposes of such direct marketing; this also applies to profiling insofar as it is related to such direct marketing.

•    In individual cases, we process and use your personal data to send you a review request and/or product recommendation by email, relating exclusively to your purchase, contract conclusion and/or other similar transactions. Furthermore, in this context, we may also use your email address and/or postal address to send you, by email and/or post, product recommendations for similar goods and/or services offered by us. You will receive these review requests and product recommendations from us regardless of whether you have subscribed to a newsletter.

•    Exercising your right to object: You may object to this data processing for direct marketing purposes at any time by writing to Dr Birthe Macdonald, Am Berge 22, 31535 Neustand am Rübenberge or by email to info@birthemacdonald.com and/or via the link at the end of every promotional email, with effect for the future, without incurring any costs other than the respective transmission costs in accordance with the standard rates. Your right to object also automatically applies to any profiling, insofar as it is related to such direct marketing.

•    If you object to processing for the purposes of direct marketing, we will cease to process your personal data for these purposes with immediate effect.

VI. How long will my data be stored?

Unless otherwise specified above, the following criteria apply to determining the storage period:

•    Where consent has been given in accordance with Article 6(1)(a) of the GDPR, the data will be stored until the data subject withdraws their consent.

•    For pre-contractual and contractual purposes pursuant to Article 6(1)(b) of the GDPR, the data will be retained beyond the end of the contract until the expiry of the relevant limitation periods (e.g. 3 years pursuant to Section 195 of the German Civil Code (BGB)) arising from the concluded contract.

•            Where our overriding legitimate interest pursuant to Article 6(1)(f) of the GDPR applies, the data will be stored until the data subject exercises their right to object under Article 21(1) of the GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is necessary for the establishment, exercise or defence of legal claims.

•    In the case of direct marketing pursuant to Article 6(1)(f) of the GDPR, the data will be stored until the data subject exercises their right to object under Article 21(2) and (3) of the GDPR.

•    Where we are subject to statutory retention obligations, the relevant documents are retained until the expiry of the applicable statutory provisions (e.g. 10 or 6 years in accordance with Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB)).

•    We retain data relating to prospective clients for as long as it can be assumed that there is still an interest in working with us. If we assume that there is no longer any interest, we will delete this data.

•    We store business partner data for as long as it can be assumed that there is still an interest in working with us. If we assume that there is no longer any interest, we will delete this data no earlier than 3 years after the termination of the last business relationship, provided there are no statutory retention obligations.

•    We store supplier data until the supplier objects and delete it no earlier than 3 years after the termination of the last business relationship, provided there are no statutory retention obligations.

VII. Source of personal data

We process personal data that we have received from you or from the recipients of personal data.

VIII. Obligation to provide data

In the course of fulfilling our contractual or statutory obligations, you, as the data subject, may be required to provide our company with personal data that is necessary for the establishment, performance and termination of the contractual relationship and the fulfilment of the associated contractual obligations, or which we are legally obliged to collect. Without this data, we will generally have to refuse to enter into the contract or will no longer be able to perform an existing contract and may have to terminate it.

________________________________________

 

Privacy Notice for our Instagram profile

I. Scope

With this document, the data controllers listed below inform you, in accordance with Article 13 of the GDPR and Section 32 of the BDSG, about the processing of personal data when you visit and interact with our profile at https://www.instagram.com/dr.birthe.macdonald/. This privacy notice has been in force since March 2026 and is published at https://www.birthemacdonald.com/privacy. It may be necessary to update this information due to further development of the platform or changes to legal or regulatory requirements. The amended version will be made available to you here.

II. Definitions

•    Data processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller;

•    BDSG: Federal Data Protection Act, available at https://dejure.org/gesetze/BDSG

•    Cookies: These are pieces of information that are often stored in databases on your device (e.g. internet browser). Any type of ‘cookie’ may contain personal data. In many cases, however, the data is pseudonymised.

•    GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation), available at https://dejure.org/gesetze/DSGVO

•    Personal data: All information relating to the personal or factual circumstances of an identified or identifiable natural person. This includes, for example, profile data such as your name, your username, your email address and your profile picture, usage data, such as information about the time of your visit to our social media channels, and interaction data, such as your comments, recommendations, replies and the sharing of posts, as well as other data generated during your visit to our social media channels that is linked to you.

•    Platform: All services on www.instagram.com

•    Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).

•    Web storage: This refers to information which, like cookies, is stored in databases on your device.

III. Who is responsible for data processing?

1. a) Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

(for users who are habitually resident in the European Economic Area or Switzerland)

1. b) Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA

(for all other users)

(referred to as ‘Instagram’)

 

Instagram is responsible for data processing insofar as this relates to the technical and administrative operation of the platform and Instagram also processes personal data solely or exclusively for its own purposes (such as the technical and administrative provision of its own services, including the storage and analysis of user data generated in the process).

2. Birthe Macdonald, Am Berge 22, 31535 Neustadt am Rübenberge. The full legal notice is available at: https://www.birthemacdonald.com/impressum

(referred to as “we” or “us”)

 

We are responsible for data processing insofar as we process personal data for our own purposes (such as for the provision of social media channels and for analysing the use of content offered there, including user and interaction data generated in the process).

3. Instagram and we jointly

Instagram and we are jointly responsible for data analysis for statistical purposes. For further details, see section VIII below.

IV. Contact details of the Data Protection Officer

1. You can contact Instagram’s Data Protection Officer via the form provided here: https://www.facebook.com/help/contact/540977946302970

 

2. We have not appointed a Data Protection Officer for our company, as there is no legal obligation to do so.

V. Data processing by Instagram

Instagram is operated by Meta Platforms Ireland Ltd. or Meta Platforms, Inc. We maintain a business profile there to provide our company information and interact with users. Every time our profile is accessed on the platform, Instagram processes personal data, regardless of whether you are logged in with your personal Instagram account and regardless of whether you have accepted cookies. With regard to the processing of personal data by Instagram, please refer to Instagram’s Privacy Policy, available at

https://www.facebook.com/privacy/policy/

Instagram also provides information there on the legal bases for data processing.

VI. Cookies and Web Storage

Instagram uses cookies and web storage. We have no influence over the scope or content of these. We therefore refer you in full to the information provided by Instagram, available at

https://www.facebook.com/privacy/policies/cookies

VII. Data processing by us

We process your personal data for the purposes of providing and using our profile on the platform, in particular to

•    present our company and carry out marketing campaigns,

•    facilitate interaction between us and users of the platform, for example via direct messages, comments, recommendations or sharing of content, or to respond to your enquiries or concerns,

•            analysing usage behaviour and measuring the reach of the content we offer on the platform, for example to improve our information and services.

The legal basis for our company presentation and user interaction with registered Instagram users is the Instagram Terms of Use (Article 6(1), first sentence, point (b) of the GDPR). With regard to the analysis of usage behaviour, we rely on our overriding legitimate interests (Article 6(1), first sentence, point (f) of the GDPR), which consist in particular of evaluating our users’ profiles and the reach of our social media channels, with the aim of optimising the content we offer there for you.

VIII. Joint data processing

Together with Instagram, we collect statistical data in aggregated form, which provides us with insights into users’ use of our company profile and their interaction with the content provided there (so-called ‘Insights data’). Insights data generally includes, amongst other things, the following information:

•    Number of interactions (e.g. via the ‘Like’ button, commenting on or sharing posts)

•    Number of comments

•    Time spent viewing video posts

•    Visitor metrics (e.g. page views)

•    Demographic data on visitors (e.g. age, gender, location, field of work, sector)

•    Reach (describes how many people are reached by a specific post [as a percentage or in absolute numbers])

•    Engagement rate (indicates how many people who see a social media post actually interact with it via likes, comments or shares) First-time impression ratio (Impressions generally describe the number of times a post is viewed; this is used to determine how widely a post has been distributed. The ‘First-Time Impression Ratio’ describes the proportion of first-time impressions, i.e. the number of new people reached).

Further information on the Insights data collected is provided by Instagram and can be found at: https://www.facebook.com/business/help/441651653251838?id=419087378825961

We process Insights data exclusively for the statistical analysis of user behaviour, with the aim of learning more about the platform’s users and tailoring our content as effectively as possible to the needs and interests of our users. We do not have access to the underlying usage data. Consequently, no conclusions can be drawn about your identity from Insights data. It is therefore also not possible to link this data to your user account with the relevant service provider. The legal basis for the associated processing of your Insights data is the protection of our legitimate interests (Article 6(1), first sentence, point (f) of the GDPR), which consist, in particular, of offering our users optimised content on our social media channels and communicating with you in the best possible way.

The joint controller agreement pursuant to Article 26(1) of the GDPR for Page Insights is available at https://de-de.facebook.com/legal/terms/page_controller_addendum

The joint controller agreement pursuant to Article 26(1) of the GDPR for Meta Business Tools is available at: https://www.facebook.com/legal/controller_addendum

IX. To whom is the data disclosed?

1. Data disclosure by Instagram

Instagram describes the recipients of the data in its privacy policy (see above).

Meta Platforms Ireland Ltd. also transfers data, including data relating to its parent company, to the USA. In this context, the EU Commission’s adequacy decision of 10 July 2023 pursuant to Article 45 of the GDPR regarding the EU-US Privacy Shield Framework applies. Meta Platforms, Inc.’s certification can be verified at https://www.dataprivacyframework.gov/s/participant-search

2. Disclosure of data by us

We disclose the personal data we have collected via the platform internally within the company to the departments responsible for this. Where we engage external service providers to manage the platform (e.g. web agency, social media management, etc.), we have entered into a data processing agreement with these service providers in accordance with Article 28 of the GDPR to protect your data.

Personal data is also disclosed to third parties or made available to third parties in the following cases:

•    Article 6(1), first sentence, point (a) of the GDPR: You have given your consent to the disclosure of data. You may withdraw this consent at any time with future effect. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

•    Article 6(1), first sentence, point (c) of the GDPR: We are legally obliged to do so or required to do so by law.

•    Article 6(1), first sentence, point (f) of the GDPR: The processing is necessary for the purposes of our legitimate interests, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, take precedence.

 

X. Your rights as a data subject

1. Your rights vis-à-vis Instagram

Instagram provides information about your rights and how you can exercise them in its Privacy Policy (see above). You can contact Instagram directly regarding your rights via this contact form. If you have an Instagram account, you can, to some extent, decide for yourself in your privacy settings how your data may be processed and accessed.

2. Your rights in relation to us

We set out your rights in relation to us below:

•    Confirmation of data processing: You have the right to request confirmation from us as to whether your personal data is being processed. The conditions for this are set out in Article 15 of the GDPR;

•    Access: You have the right to request access to your personal data processed by us. The conditions for this are set out in Article 15 of the GDPR;

•    Rectification: You have the right to request the rectification of inaccurate personal data concerning you without delay. The conditions for this are set out in Article 16 of the GDPR;

•    Erasure: You have the right to request the erasure of personal data concerning you without delay. The conditions for this are set out in Article 17 of the GDPR;

•    Restriction of processing: You have the right to request the restriction of the processing of your personal data. The conditions for this are set out in Article 18 of the GDPR;

•    Data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to have us transmit this data to another controller. The conditions for this are set out in Article 20 of the GDPR;

•    Withdrawal of consent: You have the right to withdraw your consent at any time if the processing is based on Article 6(1), first sentence, point (a) or Article 9(2), point (a) of the GDPR. Data processing prior to withdrawal remains lawful. The withdrawal applies only to the future. The conditions for this can be found in Article 7(3) of the GDPR;

•    Complaint: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR. The conditions for this are set out in Article 77 of the GDPR. You may contact the supervisory authority responsible for the controller or the one in your country or federal state. A list of all supervisory authorities is available at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

•    Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that we process on the basis of our overriding legitimate interest (Article 6 (1), first sentence, point (e) or (f) of the GDPR); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

XI. How long will my data be stored?

Unless otherwise specified above, the following criteria apply to determining the retention period for our data:

•    Where consent has been given in accordance with Article 6(1)(a) of the GDPR, the data will be stored until you withdraw your consent.

•            For pre-contractual and contractual purposes pursuant to Article 6(1)(b) of the GDPR, the data will be stored until the contract is terminated.

•    Where we have an overriding legitimate interest pursuant to Article 6(1)(f) of the GDPR, the data will be stored until you exercise your right to object under Article 21(1) of the GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

•    In the case of direct marketing pursuant to Article 6(1)(f) of the GDPR, the data will be stored until you exercise your right to object under Article 21(2) and (3) of the GDPR.

Otherwise, personal data is stored only for as long as there is a legal basis for its storage.

XII. Where does the data come from?

The data controllers collect and process data that you yourself have provided.

________________________________________

© Marc Oliver Giel, Solicitor. This document is protected by copyright.