We store personal data on secure servers in Germany. Access to this data is limited to a small number of authorised persons who are responsible for the technical, commercial or editorial operation of the servers. The data is carefully protected against loss, destruction, corruption, manipulation, unauthorised access and unauthorised disclosure.
Definition of terms
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data is being processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
g) Controller in charge of the data processing
The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Name and address of the controller and the data protection officer
Controller within the meaning of the General Data Protection Regulation, other data protection legislation applicable to the Member States of the European Union and other privacy-related rules and regulations:
Plant manager: Jonas Zipf
Head of tourism department: Hemmi Eckardt
JenaKultur, ein Eigenbetrieb der Stadt Jena
Tel. 03641 49-8050
Fax 03641 49-8055
Chairman: Harald Kramer
Director: Sylvana Hapke
Thüringer Tourismusverband Jena-Saale-Holzland e.V.
07639 Bad Klosterlausnitz
Tel. 036601 905200
Fax 036601 905201
Register of associations:
Amtsgericht Stadtroda, VR 759
Data protection officer of the controller:
Am Anger 15
oder Postfach 10 03 38, 07703 Jena
Tel. 03641 492113
Fax 03641 492114
Collection of general data and information
The web pages of the page operator collect a set of general data and information every time the website is accessed by a data subject or an automated system. This general data and information is stored in the server log files. The data collected may include
The page operator does not trace this general data and information back to the data subject. The data stored in the log files is not combined with other personal data of the user.
Article 6 (1) f GDPR constitutes the legal basis for the temporary storage of the data and log files.
The purpose of collecting this information is
This data and information is collected anonymously and is evaluated by the page oparator for statistical purposes and in order to increase data protection and data security with the ultimate goal of ensuring an optimum level of protection for the personal data processed by the page operator. Data will not be processed for marketing purposes in this context.
The data is erased as soon as it is no longer required for the purpose for which it was collected. Data collected for the purpose of making this website available is erased at the end of the relevant browser session. In certain cases, data may be stored for longer periods. The IP address of the user is erased or pseudonymised in such cases so that it is no longer possible to identify the client that accessed the website.
The collection of data for the purposes of rendering the website and the storing of data in log files are essential for the operation of the website. It is therefore not possible for users to object to this type of data processing.
Data subjects can stop the website from placing cookies on their computer systems by adjusting the relevant settings in their web browser. The data subject thereby objects to the placing of cookies on a permanent basis. In addition, any cookies that have already been set can be deleted at any time through a web browser or other software programs. All commonly used internet browsers offer this functionality. Data subjects who disable the placement of cookies in their web browser settings may no longer be able to use certain website functions to the full extent.
Article 6 (1) f GDPR forms the legal basis for the processing of personal data using cookies.
Ways to contact us through our website
In compliance with statutory requirements, the web pages provide information that enables users to quickly contact us by electronic means and to communicate with us directly. This includes an email address. If a data subject contacts the controller by email or via an online contact form, the personal data submitted by the data subject will be stored automatically. Such personal data submitted voluntarily by the data subject to the controller will be stored for processing purposes or to establish contact with the data subject. This personal data will not be passed on to third parties.
Routine erasure and blocking of personal data
The controller will process and store the personal data of data subjects only for the period of time that is required to achieve the purpose of the data storage, or to the extent provided for by EU legislators or by another legislative body in directives, regulations or statutes to which the controller is subject.
If the purpose of the data storage ceases to exist or if a data retention period determined by EU legislators or by another competent legislator expires, personal data is routinely blocked or erased in accordance with statutory provisions.
Rights of the data subject
a) Right to be informed
The GDPR grants every data subject the right to be informed about the collection and use of their personal data. If a data subject wishes to exercise this right to obtain information, he or she may contact the City of Jena at any time.
b) Right of access
The GDPR grants every data subject the right to access the personal data that is being stored and processed and to obtain a copy of this information from the controller free of charge. It furthermore grants every data subject the right to obtain information about:
The data subject also has the right to obtain information as to whether their personal data was transferred to a third country or an international organisation. Where personal data is transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to exercise the right of access, he or she may contact the City of Jena at any time.
c) Right to rectification
The GDPR grants every data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise the right to rectification, he or she may contact the City of Jena at any time.
d) Right to erasure (‘right to be forgotten’)
The GDPR grants every data subject the right to demand that their personal data be erased without undue delay if one of the following reasons applies and if the processing is not required:
If one of the aforementioned reasons applies and a data subject wishes to arrange for the erasure of the personal data that the page operator holds about the data subject, he or she may contact the City of Jena at any time.
If the personal data has been published by the City of Jena and if the city – in its capacity as the controller – is obliged to erase the personal data pursuant to Article 17 (1) GDPR, the page operator will take appropriate measures, including technical measures, to inform other controllers in charge of processing the published personal data that the data subject has submitted a request for these controllers to erase any links to its personal data or copies or replications of its personal data, unless the data is required for processing purposes; the page operator will take account of available technological means and implementation costs when determining what measures are appropriate in this context. The necessary steps will be initiated on a case-by-case basis.
e) Right to restrict processing
The GDPR grants every data subject the right to restrict the processing of their personal data where one of the following applies:
If one of the aforementioned conditions applies and a data subject wishes to request a restriction of the processing of the personal data that the page operator holds about the data subject, he or she may contact the City of Jena at any time. The restriction of the data processing will be implemented.
f) Right to data portability
The GDPR grants every data subject the right to receive the personal data that he or she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject also has the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Article 6 (1) a GDPR or Article 9 (2) a GDPR or on a contract pursuant to Article 6 (1) b GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In exercising his or her right to data portability pursuant to Article 20 (1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another where technically feasible and provided the rights and freedoms of others are not adversely affected.
The right to data portability does not apply to data processing activities that are necessary for the performance of a task carried out in the public interest and to the processing of data in the exercise of official authority vested in the controller.
If a data subject wishes to exercise the right to data portability, he or she may contact the City of Jena at any time.
g) Right to object
The GDPR grants every data subject the right to object at any time, on grounds relating to their own particular situation, to processing of their personal data which is based on Article 6 (1) e or f GDPR. This also applies to profiling based on those provisions.
In the event of an objection, the page operator will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject, or if the processing is for the establishment, exercise or defence of legal claims.
Where personal data is processed by the page operator for direct marketing purposes, the data subject shall have the right to object at any time to processing of their personal data for such marketing. This includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing by the page operator for direct marketing purposes, the page operator will no longer process personal data for such purposes.
Where personal data is processed by the page operator for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
If a data subject wishes to exercise the right to object, he or she may contact the City of Jena directly. In relation to the use of information society services, the data subject may, at its free discretion, exercise its right to object by means of automated processes based on technical specifications, notwithstanding the provisions of Directive 2002/58/EC.
h) Automated individual decision-making, including profiling
The GDPR grants every data subject the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless such a decision
If the decision
If a data subject wishes to exercise his/her rights in relation to automated decisions, he or she may contact the City of Jena at any time.
i) Right to withdraw consent to data processing
The GDPR grants every data subject the right to withdraw consent to the processing of their personal data at any time. If consent to the processing is withdrawn, this will not affect the legality of processing activities performed prior to the withdrawal of consent. If a data subject wishes to exercise the right to withdraw his/her consent, he or she may contact the City of Jena at any time.
Data protection provisions regarding the use of Matomo
The controller has integrated Matomo as a component on this website. Matomo is an open source software tool for web analysis. Web analysis refers to the collecting, aggregating and analysing of information on the behaviour of website visitors. A web analysis tool collects data on the website from which a data subject navigates to the current website (the ‘referrer’), which sub-pages of the current website are accessed, and/or how often and for how long these sub-pages are accessed. Web analysis is primarily used to optimise websites and to analyse the costs and benefits of online advertising.
The software is operated on the server of the controller and sensitive log files which are subject to statutory data protection requirements are stored exclusively on this server.
The purpose of the Matomo component is to analyse visitor flows on this website. The controller uses the collected data and information, amongst other purposes, to analyse the use of this website for the preparation of online reports that illustrate user activity on the city’s web pages. This helps to improve the website and make it more user-friendly. These purposes also constitute the city’s legitimate interest in the processing of data pursuant to Article 6 (1) f GDPR. The interest of users in having their personal data protected is adequately satisfied through the anonymisation of IP addresses.
Matomo sets a cookie in the IT system of the data subject. Further details on the nature of cookies are provided in the corresponding section above. Setting cookies enables the page operator to analyse how visitors use the city’s website. Every time an individual page of this website is accessed, the web browser of the data subject’s IT system is automatically prompted by the Matomo component to send data to our server for web analysis purposes. As part of this process, we obtain knowledge of personal data such as the IP address of the data subject and we use this data, among other purposes, to track the origin of visits and clicks.
Cookies are used to store personal data such as the time and point of access and the frequency of visits to our website. A transmission of this personal data, including the IP address of the data subject’s internet access point, to our server is triggered by each individual web page visit. This personal data is stored by us and is not passed on to third parties.
The software is configured in such a way that the IP address is not stored in full. Instead, two bytes of the IP address are anonymised (e.g. 192.168.xxx.xxx). It is therefore no longer possible to identify the device that accessed the website based on this anonymised IP address.
Data subjects can stop the website from placing cookies on their computer systems, as previously mentioned, by adjusting the relevant setting in their web browser. The data subject thereby objects to the placing of cookies on a permanent basis. Configuring the internet browser settings in this way also prevents Matomo from placing a cookie on the data subject’s IT system. In addition, any cookies that have already been set by Matomo can be deleted at any time through a web browser or other software programs.
Data subjects can also object to personal data in relation to the use of this website being collected by Matomo and can prevent such data collection. To do so, the data subject needs to set an opt-out cookie. If the IT system of the data subject is deleted, formatted or reinstalled at a later time, the data subject will need to set the opt-out cookie again.
Data subjects who set an opt-out cookie may, however, no longer be able to use the website of the controller to the full extent.
Disabling web analysis
The German Telemedia Act stipulates that users must have the possibility to object to the use of their data for web analysis purposes when they visit a website. The page operator does not use an objection prompt upon first access (e.g. via a pop-up window). Instead, a Piwik opt-out cookie is set in the accessing browser in order to provide protection against the web analysis software Piwik. It should be noted that this form of objection may not be sufficient under all circumstances. For example, if the user deletes all browser cookies or uses several web browsers, he or she may need to object again.
Disable Matomo web analysis
At this stage, you can decide whether you want to accept a unique web analysis cookie being stored in your browser in order to enable the website operator to collect and analyse a variety of statistical data.
Legal basis for data processing
Article 6 (1) a GDPR constitutes the legal basis for any processing of personal data for which the consent of the data subject is obtained.
Article 6 (1) b GDPR constitutes the legal basis for processing of personal data that is necessary for the performance of a contract to which the data subject is party. The same applies for processing activities required to perform steps prior to entering into a contract.
Article 6 (1) c GDPR constitutes the legal basis for processing of personal data that is necessary for compliance with a legal obligation to which the controller is subject.
Article 6 (1) d GDPR constitutes the legal basis for processing of personal data that is necessary in order to protect the vital interests of the data subject or of another natural person.
Article 6 (1) e GDPR constitutes the legal basis for cases where the processing of personal data is necessary for the page operator in order to perform a task in the public interest for which it is responsible, or where the page operator is required to process personal data in the exercise of its official authority.
Article 6 (1) f GDPR constitutes the legal basis for cases where the processing of personal data is necessary for the purposes of the legitimate interests pursued by the page operator or by a third party and where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
Statutory or contractual requirements for the provision of personal data; data required for the formation of a contract; obligations of data subjects who provide personal data; possible consequences of a failure to provide data
In certain cases, the provision of personal data is required by law (e.g. tax laws) or contractual stipulations (e.g. information on the counterparty to an agreement). To form a contract, it may be necessary for a data subject to make personal data available that the page operator will subsequently need to process. A data subject may, for example, be required to provide certain personal data if a contract is to be concluded between the page operator and the data subject. A failure to provide this personal data would make the conclusion of a contract with the data subject impossible. Before providing personal data, the data subject must contact the page operator. Based on the specifics of the individual case, the data subject will be informed as to whether the provision of personal data is required by law or contract or is necessary to conclude a contract, whether the data subject is under any obligation to provide the personal data, and what the consequences of a failure to provide such personal data would be.
Use of automated decision-making
The page operator does not use automated decision-making processes or profiling.
Use of other services
This website uses the following services of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA:
The City of Jena takes the current debate about data protection in social networks very seriously. The question of whether or not, and to what extent, the services of social networks comply with European data protection requirements is yet to be clarified in legal terms.
We would therefore like to emphasise that services used by the City of Jena such as Twitter, Facebook, Xing, Google+ and YouTube store the data of their users (e.g. personal data, IP address) in accordance with their respective data usage policies and process this data for their business purposes. The City of Jena has no control over the collection and further use of data by these social networks. No information is available to us regarding the scope of data collected by these providers, where and for how long such data is stored, whether the social network providers comply with existing erasure requirements, how such data is analysed and combined, and to whom such data may be passed on.
Right to lodge a complaint with a supervisory authority
If you believe that the processing of your personal data contravenes the provisions of the GDPR, you have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, especially in the Member State in which your place of residence, your work place or the place of the alleged contravention is located.
The supervisory authority with which the complaint has been lodged will inform the complainant about the status and outcome of the complaint, including the possibility of pursuing a judicial remedy in accordance with Article 78 GDPR.