Privacy Notice (Article 13 of the General Data Protection Regulation)

Please note that the contact details on this page are published exclusively to enable visitors to exercise their data subject rights and to comply with our legal obligations! You are not allowed to collect, copy or otherwise process these contact details for any other purpose, such as marketing or training of “artificially intelligent” software.

A. Who is responsible for your data and how to reach us

Claudius Link
Friedenstr. 46
34121 Kassel
info@opensecurityconference.org

Please note that we are not legally required to have a Data Protection Officer. Feel free to raise any of your questions and concerns regarding how we use your data directly with us.

B. Why and how we use your data

1. Whenever you access our website or one of its sub-pages (including “Server-Logs”)

Whenever you access our website (or any of its sub-pages) we will collect and, at least for a short period, store some personal information on your access and on the device you’re using to access our website. The collected information includes your internet protocol address (“IP address”), which makes you identifiable online. We are automatically storing information that your browser is sending automatically in so-called server logs. These logs are anonymized and do not include any internet protocol addresses (“IP addresses”).

1.1 Why we use your data

We have to collect and use certain of your data (such as your internet protocol address or some basic settings of your device), as well as make use of server logs, to deliver our website and have it properly displayed on your device. Also, we collect, store, and (when necessary) use your data to protect our systems and services against malfunctions and malicious acts (such as unauthorised access, deployment of malware, or attempts to incapacitate our systems with high amounts of traffic). Your data is necessary for us to try to make sure that our systems and services (and the personal data we store) are confidential, reliable, and available.

1.2 Which of your data we are using

We will collect, store, and (when necessary) use:

Your internet protocol address (“IP address”)
The date and time of your access
Which internet address (“URL”) you are trying to access
The internet address (“URL”) of the site you are coming from (“referring site”)
Which software (“browser”) you are using to access our website, its version as well as its basic settings (such as language and display resolution)
Which operating system you are using
The hostname of the device you’re using to access the site

1.3 Why we’re allowed to use your data

We will collect and use some of your data (such as the browser you are using to access our website and its basic settings) based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in delivering and displaying our website on your device. Our interest is legitimate because our website helps us to present and advertise what we do. Your data is necessary, because our website couldn’t be delivered and displayed without it. Since we do not store or otherwise use your data (unless it is necessary for security purposes), such use does not interfere with your fundamental rights and freedoms. For that reason, our legitimate interest prevails. We will also collect, store, and (when necessary) use your data (such as your Internet Protocol Address, the date and time of your access, and the browser you are using to access our website) based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in protecting our systems and services against malfunctions and malicious acts (such as unauthorised access, deployment of malware, or attempts to incapacitate our systems with high amounts of traffic). Our interest is legitimate because we are legally required to ensure the confidentiality, integrity, and availability of the personal data we store. Your data is necessary, because we need it to identify threats to our systems and services. Considering that the data we collect, store, and (when necessary) use is of a rather technical nature, that we will not make your data accessible to others (other than our processors, courts, or authorities), and that your data is usually only stored for a short period, any interference with your fundamental rights and freedoms is minor and temporary. For that reason, our legitimate interest prevails.

1.4 For how long we will store your data

Where we store your data to protect our systems and services, we will keep it stored for three days.

Only if we are legally required or have legitimate reasons to make your data accessible to certain third parties (such as law enforcement), we will have to keep your data longer than that.

1.5 Whether we will disclose your data to others

Other than to our web hosting provider (1blu AG), we usually will not make your data available to others. Only if we are legally required or have legitimate reasons to do so, we will disclose your data to third parties such as legal representation, courts, authorities, or law enforcement.

1.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

1.7 Whether you have to provide your data

You are neither legally nor contractually obligated to provide us with your data and your data is no prerequisite for entering into a contractual relationship with us. However, please be aware that there is a technical necessity to collect your data whenever you access our website (but you will still be able to access our website even if you have taken technical precautions to obfuscate your real internet protocol address and location).

1.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

1.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

the purpose for which it was collected does not require its use any longer,
you object to the use of your data based on personal grounds,
we were never allowed to collect, store and use your data, or
either European Union or national law requires us to delete it.

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

object to the processing of your data based on personal grounds,
claim that your data is inaccurate or incomplete,
claim that we were never allowed to use your data, or
claim that the purpose for which we collected your data does not require its use any longer,

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

1.10 Your right to object

You may also object to the use of your data based on personal grounds relating to your particular situation. If you do, we will stop using your data unless we can claim a legitimate interest that overrides the reasons for your objections or your data is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Please contact us whenever you wish to object to the use of your data! Although there are no formal requirements as to how you can (and cannot) object, we’d like to encourage you to do it in writing.

2. When you communicate with us (or we communicate with you)

Whenever you communicate with us (or we communicate with you) by email, text message, phone or any other means of communication, we will collect, store, and use your contact information (such as name, e-mail address, or phone number) and the content of your messages (including any personal information that you chose to disclose in them).

2.1 Why we use your data

We will collect, store, and use your data to answer your request or to pose a request to you. If our communication relates (or should lead) to a contractual relationship between us, we will store and use your data to perform our contractual duties and to comply with our legal retention obligations. We might also store and use your data to pursue our legal claims or defend ourselves against the legal claims of others.

2.2 Which of your data we are using

We will collect, store, and use:

Your name
Your contact information (such as your address, email address or phone number)
The content of your messages and any personal information you chose to disclose in them (such as your job title or employer)
Your email’s header information (such as your Internet Protocol Address)

2.3 Why we’re allowed to use your data

We will collect, store, and use your data with your consent (see Article 6 Section 1 Letter a of the General Data Protection Regulation), which you may withdraw at any time without providing your reasons (please note that the withdrawal of your consent does not affect the legitimacy of our use of your data prior to when you declared it and that we may still be allowed to keep using your data based on another legal permission such as legitimate interest).

If our communication relates (or should lead) to a contractual relationship between us and contains data that is necessary to perform our contractual duties, we will collect, store, and use such data based on this necessity (see Article 6 Section 1 Letter b of the General Data Protection Regulation). In that case, we will also store your data to comply with our legal retention obligations (see Article 6 Section 1 Letter c of the General Data Protection Regulation in combination with Paragraph 257 Section 1 of the Handelsgesetzbuch and Paragraph 147 Section 1 of the Abgabenordnung).

Where none of the other applies, we may also collect, store, and use your data based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in communication with (possible) attendees, contractors, or other persons of interest. Our interest is legitimate because its ultimate objective (our conference) is recognised by law. Your data is necessary, because communication would be impossible without it. Considering that we will use data that you yourself have provided (either as contact details or in your messages) and that we will not disclose our communication to others (except with your permission or for legal reasons), the use of your data will only be a minor interference with your fundamental rights and freedoms so that our legitimate interest will prevail.

If we make your personal data accessible to others (such as legal representation, courts, or authorities) in order to comply with a legal obligation, pursue our legal claims, or defend ourselves against the legal claims of others, we will do so either based on our legal obligations (see Article 6 Section 1 Letter c of the General Data Protection Regulation) or our legitimate interests (see Article 6 Section 1 Letter f of the General Data Protection Regulation). Our interest is legitimate because we are entitled to seek legal redress or defend ourselves against legal claims if necessary. To do so, it might be necessary to make your data accessible to others if it serves as evidence or contains any other information that might be material to the case. Since we will disclose your data only to other parties that are themselves legally bound to secrecy, such use of your data constitutes only a minor interference with your fundamental rights and freedoms, so that our legitimate interest prevails.

2.4 For how long we will store your data

Whenever we have no obligation or other reasons to store your data, we will keep it until your request is answered, you answered our request, or until the circumstances suggest that you do not want further communication.

If we store your data to comply with our legal retention obligations, we will keep it for six years. And if we store your data because it is necessary to pursue our legal claims or defend ourselves against the legal claims of others, we will keep it until the statute of limitation expires or until the conclusion of any administrative or judicial proceeding.

Since the retention period depends highly on the circumstances under which a communication takes place as well as on its content, please do not hesitate to ask us if you want to know how long we will (have to) store your messages and the data in them!

2.5 Whether we will disclose your data to others

We will usually not make your data available to others. Only if we are legally required or have legitimate reasons to do so, we will disclose your data to third parties such as legal representation, courts, authorities, or law enforcement.

2.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

2.7 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data. Some of your data (such as your name and address) will be a prerequisite for entering into a contractual relationship with us.

2.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

2.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

the purpose for which it was collected does not require its use any longer,
you object to the use of your data based on personal grounds,
you have withdrawn your consent and we cannot claim another legal permission to continue using your data,
we were never allowed to collect, store and use your data, or
either European Union or national law requires us to delete it.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

object to the processing of your data based on personal grounds,
claim that your data is inaccurate or incomplete,
claim that we were never allowed to use your data, or
claim that the purpose for which we collected your data does not require its use any longer,

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

2.10 Your right to object

3. Pre-Registration

When you pre-register for our conference, we will collect, store, and use your email address and your areas of interest.

3.1 Why we use your data

We will collect, store, and use your data to keep you updated and to notify you once registration opens.

3.2 Which of your data we are using

We will collect, store, and use:

Your email address
Your areas of interest

3.3 Why we’re allowed to use your data

We collect, store, and use your data with your consent (see Article 6 Section 1 Letter a of the General Data Protection Regulation), which you may withdraw at any time without providing your reasons (please note that the withdrawal of your consent does not affect the legitimacy of our use of your data prior to when you declared it and that we may still be allowed to keep using your data based on another legal permission such as legitimate interest).

3.4 For how long we will store your data

We will store your data until you withdraw your consent or until our conference is concluded on October 8th, 2025.

3.5 Whether we will disclose your data to others

We will not make your data available to others.

3.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

3.7 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data and your data is no prerequisite for entering into a contractual relationship with us.

3.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

3.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

the purpose for which it was collected does not require its use any longer,
you have withdrawn your consent and we cannot claim another legal permission to continue using your data,
we were never allowed to collect, store and use your data, or
either European Union or national law requires us to delete it.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

claim that your data is inaccurate or incomplete,
claim that we were never allowed to use your data, or
claim that the purpose for which we collected your data does not require its use any longer,

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

4. Registration

When you register for our conference, we will collect, store, and use information for your accommodation and to you contact you, including your email address.

4.1 Why we use your data

We will collect, store, and use your data to register you for the conference, to ensure your accommodation at the venue, and to keep you updated.

4.2 Which of your data we are using

We will collect, store, and use:

Your email address to enable us to contact you to confirm your registration and in case of changes
Your legal name and postal address for the hotel registration
How you want to be called by us
Your pronouns
If you want to share your room with another participant, and if so, their legal name to help us match registrations
If you want to bring children
Your dietary needs
Any further accommodations you need
Your consent to our code of conduct
Your consent to this privacy notice
Your consent to a potential cancellation fee

4.3 Why we’re allowed to use your data

We collect, store, and use your data based on contractual necessity (Article 6 Section 1 Letter b of the General Data Protection Regulation).

4.4 For how long we will store your data

We will store your data until November 6th, 2025 which is one month after our conference is concluded.

4.5 Whether we will disclose your data to others

Besides the venue hotel who needs your information to accommodate for your stay, we will not make your data available to others.

4.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

4.7 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data. Some of your data (such as your email address, legal name and postal address) will be a prerequisite for entering into a contractual relationship with us.

4.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

4.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

the purpose for which it was collected does not require its use any longer,
we were never allowed to collect, store and use your data, or
either European Union or national law requires us to delete it.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

claim that your data is inaccurate or incomplete,
claim that we were never allowed to use your data, or
claim that the purpose for which we collected your data does not require its use any longer,

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

C. Your right to file a complaint

In case you presume that we have violated your privacy rights, you may file a complaint with the data protection authority in the European Union member state where you live, work, or where the supposed violation of your rights happened. The German federal data protection authority provides further information on the competent authorities and how to contact them.

We respect your privacy rights and to not want to limit them in any way! However, we kindly ask you to contact us before you file a complaint against us.

Privacy notice kindly contributed by Raphael Albert.