Privacy Policy for the website www.hannasheimwerk.de
1 Why do we need this privacy policy?
Welcome to my website! Here you will find all the information about my work as a photographer and my services. Please feel free to look around, write me a message using the contact form or send me an email.
When you visit my website, various personal data are processed. One of the laws that applies to me – the General Data Protection Regulation, or GDPR for short – contains certain requirements in this regard. For example, I have to inform you about certain things at the time your personal data are collected. And that’s exactly what this data protection declaration is about!
1a What is personal data?
Data protection is all about personal data. This includes all information that can somehow be related to a person. It does not matter who can establish the connection. It is enough that it is possible. The term includes name, address, occupation, email address, state of health, income, marital status, telephone number and usage data such as the IP address. So you can see that almost all data can actually be personal – even if it is only technical information.
1b Where is the website hosted and who has access to it?
My website is hosted in a data centre. This is owned by Webhoster.de AG, Zum Haunert 22, 59519 Möhnesee. I have concluded a contract with the operator of the data centre for order processing and have obliged the operator to comply with certain data protection requirements.
Otherwise, only I have access to the personal data processed via the website and incoming requests. However, if we conclude a contract and documents relevant to tax law are created, it is possible that other people may become aware of them. This may include, in particular, a tax advisor or lawyer.
1c When do we talk about processing?
There are many things we can do with personal data. This includes everything from collecting to deleting. We can capture, organise, sort, store, adapt, modify, read, query, use, disclose, transmit or provide it. So, in fact, processing is always taking place.
Who is responsible for data processing on the website?
I am responsible for data processing on the website: Johanna Thöming. You can find my contact details in the imprint. I do not have to appoint a data protection officer. However, you are welcome to contact me directly at any time if you have any questions regarding the processing of your personal data.
1d What data is processed when surfing the website?
Just by accessing the website, your computer sends data. This is the only way to establish a connection with your device. The following (personal) data is processed during this process: date and time of the website visit, name of the subpage visited, IP address, referrer URL (source URL), operating system used, host name of the accessing computer, and product and version information of your browser. The data processing that takes place is legally permitted on the basis of legitimate interest (Art. 6 para. 1 f) GDPR). I would like to present myself as a photographer and show my pictures. For this, I need my own website – because today, customers only look for services on the internet. The processing of the aforementioned data takes place automatically when the website is accessed and is also necessary for this. The usage data is deleted after 90 days.
2 What happens when I make contact?
I have included a contact form on the website so that you can write your message directly in a field and send it to me. Please enter the requested information (e.g. email address, telephone number). However, you can also write to me directly by email. You can find the address in several places on the website.
There is a higher probability of incorrect data processing because the technical and organisational measures for the protection of personal data do not fully meet the requirements of the DS-GVO in terms of quantity and quality
The use of WhatsApp, the data processing that takes place during this and the transmission of data to the USA is based on your consent (Art. 6 para. 1 a) and Art. 49 para. 1 a) DS-GVO). You give your consent by scanning the code and writing your message to me. I store the resulting chat for the duration of our collaboration. If you do not commission me, I will of course delete your messages and personal data immediately.
I have no influence on the extent of the data processing by the provider of the messenger service and can only refer you to their privacy policy.
3 Cookies
The internet pages use so-called cookies in several places. They serve to make our offer more user-friendly, more effective and safer. A cookie is a text information that our website places on the end device you are using via the web browser. Most of the cookies we use are so-called ‘session cookies’. They are automatically deleted after your visit.
The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest arises from the fact that we only use the aforementioned cookies to make the site easier for you to access, we do not collect any tracking data in the process and therefore do not interfere with your personal rights and fundamental freedoms.
You can prevent your web browser from accepting cookies. However, this may result in a reduced functionality. These cookies are only valid for the duration of your browser session and are deleted when you finish visiting our site. In addition, you can change your cookie settings or revoke your consent at any time at the bottom of our website.
For further information on your rights as a data subject, see section 10 below.
We use cookies from the following third-party providers:
3a Cookie Consent Tool from Real Cookie Banner
To obtain your consent, we use Real Cookie Banner (https://devowl.io/de/wordpress-real-cookie-banner/), a product of devowl.io GmbH, Tannet 12, 94539 Grafling, Germany. If you give your consent, Real Cookie Banner will automatically log the following data with the operator (https://devowl.io/de/datenschutzerklaerung/):
The IP number of the end user in anonymised form (the last digits are set to ‘0’).
Date and time of consent.
User agent of the end user’s browser.
The URL from which consent was sent.
An anonymous, random and encrypted key.
The end user’s consent status, which serves as proof of consent.
The stored data is used to ensure that web analysis services only collect data with your consent and to document this consent, and to create and display cookie statements for end users.
The key and the consent status are also stored in the end user’s browser in the ‘real_cookie_banner’ cookie so that the website can automatically read and comply with the end user’s consent for all subsequent page requests and future end user sessions for up to 12 months.
The legal basis for the processing of your data is Art. 6 (1) lit. c) and f) GDPR, because we are legally obliged to be able to prove consent and our legitimate interest arises from the fact that we can only obtain necessary consent in this way.
4. Google Tools
We use the following ‘Google services’. The controller in this regard is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ireland transfers data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, which we always point out.
For more information about whether and which data Google collects when you use these services, please refer to the Google privacy policy.
4a Google Tag Manager
I use the Google Tag Manager on my website. This allows me to integrate code sections from various tools and manage them centrally via a user interface. The Google Tag Manager can be used to manage not only Google products but also tools from other providers – which makes it very practical. Google Tag Manager triggers other tags, which in turn may collect data. However, Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags implemented with Google Tag Manager.
I am entitled to use the Google Tag Manager for my legitimate interests (Art. 6 (1) (f) GDPR). I could, of course, integrate each code section individually into the source code of the website. But that would be very time-consuming. With the Google Tag Manager, I can save a lot of time and also keep track of the individual tools.
I do not store any personal data myself.
Data may be transferred to the USA. This is generally permissible under the conditions of Art. 46 DS-GVO and on the basis of the standard contractual clauses effectively included in the contractual relationship with Google. These have been approved by the European Commission and guarantee adequate protection of your personal data even outside the EU and the EEA. You can find more information about this directly from Google.
4b Google Ads
We use AdWords and Google Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). Google Adwords places a cookie on your computer (‘conversion cookie’) if you come to our website via a Google ad. These cookies expire after 30 days and we do not collect any personal data that could be used to identify the user. However, your IP address is transmitted to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA in the USA so that they can carry out the evaluations described below for us. We have concluded EU standard data protection clauses with Google, by which Google proves to us that it adheres to appropriate and suitable technical and organisational measures to protect your personal data.
As long as the cookie is still active, we can use Google Conversion Tracking to recognise when a user visits our site that this user had clicked on the Adwords ad and was originally redirected to our site in this way. Each AdWords customer receives a different cookie. The information obtained with the cookies is used solely to create conversion statistics for us as AdWords customers. This tells us the total number of users who clicked on one of our ads and were redirected to one of our pages with a conversion tracking tag.
The legal basis for the use of conversion tracking cookies, given the appropriate consent, is Art. 6 para. 1 lit. a) GDPR.
Revocation and deletion:
You can also revoke your consent at any time by deleting all set (consent) cookies in your browser. You can also change your cookie settings and revoke your consent at the bottom of our website at any time.
You can prevent the collection of information by generally deactivating the automatic setting of cookies in your browser settings or by setting your browser to only block cookies from the domain ‘googleadservices.com’. We cannot rule out the possibility that this may result in restrictions in the usability of our site. You also have the option of deactivating the use of cookies and thus personalised ads in Google’s ad preferences manager.
You have the right to request information and to object to your data stored by us at any time, see point 10 below regarding your rights as a data subject.
I myself do not store any personal data.
Data may be transferred to the USA. This is generally permissible under the conditions of Art. 46 DS-GVO and on the basis of the standard contractual clauses effectively included in the contractual relationship with Google. These have been approved by the European Commission and guarantee an adequate level of protection for your personal data even outside the EU and the EEA. You can find more information about this directly from Google.
5. Facebook
5a. Facebook page
We operate a Facebook fan page for the purpose of interacting with our customers and for the purpose of advertising new products or services, as well as for the purpose of providing general information about our company and its employees. Customers and interested parties can join this page by clicking the ‘Like’ button and thus regularly receive information about our company in their Facebook news feed. Please note that you use this Facebook fan page and its functions at your own risk.
This applies in particular to the use of interactive functions such as commenting, sharing, liking (see ‘Things you and others have done and provided’ in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see ‘Device Information’ in the Facebook Data Policy Statement: https://www.facebook.com/policy)
To operate our Facebook fan page, we use the technical platform and services of Meta Platforms, Inc 1 Hacker Way, Menlo Park, California 94025 USA.
As explained in the Facebook Data Policy under ‘How do we use this information?’, Facebook also collects and uses information to provide analysis services, known as ‘Page Insights’, for page operators so that they can gain insights into how people interact with their pages and with the content associated with them. This information is used to provide us, as the operator of the Facebook pages, with statistical information about the use of the Facebook fan page.
We have entered into a special agreement with Facebook (‘Information on Page Insights’, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically governs the security measures that Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, address requests for information or deletion directly to Facebook). The rights of users (in particular with regard to information, deletion, objection and complaints to the relevant regulatory authority) are not restricted by the agreements with Facebook. Further information can be found in the ‘Information on Page Insights’ (https://www.facebook.com/legal/terms/information_about_page_insights_data).
The data collected about you in this context is processed by Meta Platforms, Inc. and may be transferred to countries outside the European Union. Facebook describes in general terms what information Facebook receives and how it is used in its data protection guidelines. There you will also find information about how to contact Facebook and how to customise your ads. The data policy is available at the following link: https://www.facebook.com/privacy/explanation
The way in which Facebook uses the data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook fan page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook fan page is passed on to third parties is not conclusively and clearly stated by Facebook and is not known to us.
Meta Platforms, Inc. is able to track that you have visited our fan page and how you have used it based on the cookies it uses and the information it collects. This also applies to all other Facebook pages and when using the social share buttons, provided that these are integrated on our website.
This data can be used to offer you customised content or advertising.
If you wish to avoid this, you should log out of Facebook or disable the ‘Stay signed in’ function, delete the cookies stored on your device and close and restart your browser. This will delete Facebook information that can be used to directly identify you.
This means that you can use our Facebook fan page without disclosing your Facebook ID, but your IP address will also be recorded and cookies will be set again. You can prevent your web browser from accepting cookies. However, this may result in a loss of functionality.
When you access interactive features on the page (like, comment, share, message, etc.), a Facebook login screen will appear. After logging in, you will again be recognisable to Facebook as a specific user.
For information on how to manage or delete information about you, please refer to the Facebook Data Policy.
We are jointly responsible with Meta Platforms, Inc for the collection or receipt, in the context of a transfer (but not further processing), of ‘Event Data’ that Facebook collects or receives through the Facebook social plugins that are run on our online offering, in the context of a transfer, for the following purposes:
Advertising information that matches the presumed interests of users and the display of content;
Delivery of commercial and transactional content;
– improving ad delivery and personalising features and content.
We have entered into a special agreement with Facebook (‘Controller Addendum’, https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook agrees to comply with the rights of data subjects.
Please note: If Facebook provides us with measurements, analyses and reports that do not contain any information about individual users and are therefore anonymous to us, this processing is not carried out under the shared responsibility, but on the basis of a data processing agreement („Data Processing Terms ’, https://www.facebook.com/legal/terms/dataprocessing) , the ‘Data Security Terms’ (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of standard contractual clauses („Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum).
Further information about Facebook and other social networks and how you can protect your data in the privacy settings can be found, for example, at youngdata.de.
The legal basis for the use of the Facebook fan pagea is Art. 6 (1) point f GDPR. Our legitimate interest lies in the fact that we enable customers to communicate directly with our company via this social media service, including for complaints, and thus constantly optimise our service.
Users‘ rights are not restricted by the agreements with Facebook.
Regarding your rights as a data subject, see Section 10 below.
5b. Facebook Ads
We use the advertising tools of the social network of Meta Platforms, Inc 1 Hacker Way, Menlo Park, California 94025 USA (‘Facebook’) for advertising on Facebook and Instagram. If you are logged into your Facebook or Instagram account, Facebook uses the information you provided when registering, your likes and other user behaviour to determine information such as your interests, based on which you are shown user-defined advertisements, including by our company. Likewise, we can use the information categories provided by Facebook to make settings for which user groups, who are anonymous to us, should see our ads. Depending on your privacy settings, your name may appear in our ads. You can find more information about name display in Facebook Ads here. The same applies to so-called social ads, where your friends are shown that you are ‘liking’ our page, for example. You can use the data protection settings and the advertising settings to determine whether and how your name is displayed. You can also generally opt out of Facebook ads. In addition, you can set whether and how our advertising is displayed on Facebook in the future by clicking on ‘x’ or ‘∨’ in your timeline when ads are displayed. Unless you have given your permission, Facebook will not share any of your personal data with us. We can only use Facebook’s general evaluation tools to determine how many users, subdivided according to general criteria not associated with personal data, have seen our ad, clicked on it or later made a purchase in our online store/action on our website (conversion tracking through the so-called visitor action pixel). Please note that there is a possibility that Facebook may in turn assign this data to your account profile, over which we have no control.
Data transfer to third countries: Your behavioural data, as well as the data evaluated via the visitor action pixel, are transmitted to the servers of Meta Platforms Inc. in the USA. We have concluded EU standard data protection clauses with Facebook, by which Facebook proves to us that it adheres to appropriate and suitable technical and organisational measures to protect your personal data.
For more information about how Facebook Ireland processes personal data, including the legal basis on which Facebook Ireland relies and the options for data subjects to exercise their rights against Facebook Ireland, please refer to the Facebook Ireland data policy at .
The legal basis for the collection and storage of data, provided that the appropriate consent has been obtained, is Art. 6 para. 1 lit. a) GDPR.
Objection
If you do not or no longer agree to this, you should make use of the opt-out option mentioned above, which allows you to prevent the display of advertisements on Facebook. You can find more information about Facebook’s privacy policy and how Facebook ads work on Facebook. You can also change your cookie settings and withdraw your consent at any time at the bottom of our website.
7 Whatsapp
I have decided to enable contact via the WhatsApp messenger service. Therefore, a QR code is embedded on the website that you can use to contact me directly. You can scan the code with your mobile phone and write directly to my mobile number. In doing so, your data will be synchronised with a WhatsApp server.
The messenger service is provided by WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. This applies in any case if the user is located in the European Union. Nevertheless, it cannot be ruled out that personal data may be transferred to the USA when using WhatsApp. The USA is an unsafe third country in terms of data protection. There are also no suitable data protection guarantees in place when using WhatsApp. The following risks are therefore associated with its use:
Personal data could potentially be passed on to others or viewed by others beyond the actual purpose
There is a higher probability of incorrect data processing, since the technical and organisational measures for the protection of personal data do not fully meet the requirements of the GDPR in terms of quantity and quality
The use of WhatsApp, the data processing that takes place during this and the transmission of data to the USA is based on your consent (Art. 6 para. 1 a) and Art. 49 para. 1 a) DS-GVO). You give this consent by scanning the code and writing your message to me. I store the resulting chat for the duration of our collaboration. If you do not hire me, I will of course delete your messages and personal data immediately.
I have no influence on the extent of the data processing by the provider of the messenger service and can only refer you to their privacy policy.
Insert link to https://www.whatsapp.com/legal/privacy-policy-eea.
6 Facebook Pixel
I use the so-called Facebook Pixel for targeted advertising and efficient measurement of my advertising campaigns. This transmits the data generated when surfing the website (e.g. sub-pages, content and advertisements clicked on) to Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland. There they are compared with the data of your Facebook account and enriched with data already available on Facebook. The Facebook pixel ensures that you only see personalised advertising in your Facebook profile. Facebook itself uses the resulting data to analyse your user behaviour and the effectiveness of advertisements. Data about your visit to the website will be transmitted to Facebook even if you do not have a Facebook profile or are not currently logged in.
The described data processing will only take place if you have given your prior consent (Art. 6 para. 1 a) GDPR). You will be asked for a corresponding declaration when you access the website (in electronic form). You can allow or reject data processing via the Facebook pixel. The data transmitted to Facebook is deleted immediately after the comparison. I myself do not store any data during this process and I cannot see it either. Although Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland, is generally responsible for data processing when using Facebook services in the European Union, it cannot be ruled out that the data generated during use may also be transmitted to the USA. This transfer is generally permitted because Facebook has included the standard data protection clauses approved by the EU Commission in its terms of use. Further information can be found directly on Facebook.
7. Social media
7a. Pinterest page
We operate a fan page on the Pinterest platform, offered by Pinterest, Cold Brew Labs Inc., 635 High St., Palo Alto, CA 94301 USA, for the purpose of interacting with our customers and promoting new products or services, as well as providing general information about our company and its employees.
If you access the page via our website using the Pinterest symbol and are simultaneously logged into your account, Pinterest can immediately associate your visit to our website with your Pinterest account. If you do not want Pinterest to associate your data with your account, you must log out of Pinterest before visiting our website.
When you access interactive features on the page, a Pinterest login screen will appear. After you have logged in, Pinterest can once again recognise you as a specific user. You can find more information in Pinterest’s privacy policy.
We, as the operators of our Pinterest fan page, do not collect or process any other data. Further information about Pinterest and other social networks and how you can protect your data in your privacy settings can be found, for example, at youngdata.de.
The legal basis for the use of the Pinterest fan page is Art. 6 (1) sentence 1 f) GDPR. Our legitimate interest is based on the fact that we enable customers to communicate directly with our company via this social media service, including for complaints, and thus constantly optimise our service.
Regarding your rights as a data subject, see Section 10 below.
7b. Instagram page
We operate a fan page on the ‘Instagram’ platform for the purpose of interacting with our customers and for the purpose of advertising new products or services, as well as for providing general information about our company. This service is provided on the technical platform and by means of the services of Meta Platforms, Inc 1 Hacker Way, Menlo Park, California 94025 USA (hereinafter ‘Instagram’).
The data controller for persons living outside the United States is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
If you access the page via our website using the Instagram symbol and are simultaneously logged into your Instagram account, Instagram can immediately associate your visit to our website with your Instagram account.
If you do not want Instagram to associate your data with your account, you must log out of Instagram before visiting our website.
When you access interactive features on the page (likes, comments, shares, messages, etc.), an Instagram login screen will appear. After any registration, you are again recognisable to Instagram as a specific user. For information on how to manage or delete information about you, please refer to the Instagram Data Policy at https://help.instagram.com/519522125107875/?maybe_redirect_pol=0.
We, as the operator of our Instagram fan page, do not collect and process any further data. Further information on Instagram and other social networks and how you can protect your data in the context of your privacy settings can be found, for example, at youngdata.de.
The legal basis for the use of the Instagram fan page is Art. 6 (1) (f) GDPR. Our legitimate interest is based on the fact that we enable customers to communicate directly with our company via this social media service, including for complaints, and thus constantly optimise our service.
Regarding your rights as a data subject, see point 10 below.
WHAT RIGHTS DO YOU HAVE?
When it comes to data protection, you have quite a few rights. There are a few articles in the GDPR that deal only with data protection. Here is an overview of your rights:
Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data transfer (Art. 20 GDPR)
I have considered whether your personal data may be processed on the basis of legitimate interest in accordance with Art. 6 (1) f) GDPR. If you believe that a particular processing is not permissible, you can object to it. If I come to the conclusion that the objection is justified in your personal individual case, the processing will be omitted.
You can exercise your rights at any time. However, this does not mean that they will necessarily be fulfilled. For example, you cannot request the deletion of your data and at the same time hire me as a photographer.
If you have given your consent to the processing of your data, you may withdraw it at any time. You do not have to give a reason for doing so. Please use the technical options on the website for this purpose.
You have the right to complain to a data protection supervisory authority at any time.