Open Security Conference

Privacy Notice (Article 13 of the General Data Protection Regulation)

Please note that the contact details on this page are published exclusively to enable visitors to exercise their data subject rights and to comply with our legal obligations! You are not allowed to collect, copy or otherwise process these contact details for any other purpose, such as marketing or training of “artificially intelligent” software.

A. Who is responsible for your data and how to reach us

Claudius Link
Friedenstr. 46
34121 Kassel
info@opensecurityconference.org

Please note that we are not legally required to have a Data Protection Officer. Feel free to raise any of your questions and concerns regarding how we use your data directly with us.

B. Why and how we use your data

1. Whenever you access our website or one of its sub-pages (including “Server-Logs”)

Whenever you access our website (or any of its sub-pages) we will collect and, at least for a short period, store some personal information on your access and on the device you’re using to access our website. The collected information includes your internet protocol address (“IP address”), which makes you identifiable online. We are automatically storing information that your browser is sending automatically in so-called server logs. These logs are anonymized and do not include any internet protocol addresses (“IP addresses”).

1.1 Why we use your data

We have to collect and use certain of your data (such as your internet protocol address or some basic settings of your device), as well as make use of server logs, to deliver our website and have it properly displayed on your device. Also, we collect, store, and (when necessary) use your data to protect our systems and services against malfunctions and malicious acts (such as unauthorised access, deployment of malware, or attempts to incapacitate our systems with high amounts of traffic). Your data is necessary for us to try to make sure that our systems and services (and the personal data we store) are confidential, reliable, and available.

1.2 Which of your data we are using

We will collect, store, and (when necessary) use:

1.3 Why we’re allowed to use your data

We will collect and use some of your data (such as the browser you are using to access our website and its basic settings) based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in delivering and displaying our website on your device. Our interest is legitimate because our website helps us to present and advertise what we do. Your data is necessary, because our website couldn’t be delivered and displayed without it. Since we do not store or otherwise use your data (unless it is necessary for security purposes), such use does not interfere with your fundamental rights and freedoms. For that reason, our legitimate interest prevails. We will also collect, store, and (when necessary) use your data (such as your Internet Protocol Address, the date and time of your access, and the browser you are using to access our website) based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in protecting our systems and services against malfunctions and malicious acts (such as unauthorised access, deployment of malware, or attempts to incapacitate our systems with high amounts of traffic). Our interest is legitimate because we are legally required to ensure the confidentiality, integrity, and availability of the personal data we store. Your data is necessary, because we need it to identify threats to our systems and services. Considering that the data we collect, store, and (when necessary) use is of a rather technical nature, that we will not make your data accessible to others (other than our processors, courts, or authorities), and that your data is usually only stored for a short period, any interference with your fundamental rights and freedoms is minor and temporary. For that reason, our legitimate interest prevails.

1.4 For how long we will store your data

Where we store your data to protect our systems and services, we will keep it stored for three days.

Only if we are legally required or have legitimate reasons to make your data accessible to certain third parties (such as law enforcement), we will have to keep your data longer than that.

1.5 Whether we will disclose your data to others

Other than to our web hosting provider (1blu AG), we usually will not make your data available to others. Only if we are legally required or have legitimate reasons to do so, we will disclose your data to third parties such as legal representation, courts, authorities, or law enforcement.

1.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

1.7 Whether you have to provide your data

You are neither legally nor contractually obligated to provide us with your data and your data is no prerequisite for entering into a contractual relationship with us. However, please be aware that there is a technical necessity to collect your data whenever you access our website (but you will still be able to access our website even if you have taken technical precautions to obfuscate your real internet protocol address and location).

1.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

1.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

1.10 Your right to object

You may also object to the use of your data based on personal grounds relating to your particular situation. If you do, we will stop using your data unless we can claim a legitimate interest that overrides the reasons for your objections or your data is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Please contact us whenever you wish to object to the use of your data! Although there are no formal requirements as to how you can (and cannot) object, we’d like to encourage you to do it in writing.

2. When you communicate with us (or we communicate with you)

Whenever you communicate with us (or we communicate with you) by email, text message, phone or any other means of communication, we will collect, store, and use your contact information (such as name, e-mail address, or phone number) and the content of your messages (including any personal information that you chose to disclose in them).

2.1 Why we use your data

We will collect, store, and use your data to answer your request or to pose a request to you. If our communication relates (or should lead) to a contractual relationship between us, we will store and use your data to perform our contractual duties and to comply with our legal retention obligations. We might also store and use your data to pursue our legal claims or defend ourselves against the legal claims of others.

2.2 Which of your data we are using

We will collect, store, and use:

2.3 Why we’re allowed to use your data

We will collect, store, and use your data with your consent (see Article 6 Section 1 Letter a of the General Data Protection Regulation), which you may withdraw at any time without providing your reasons (please note that the withdrawal of your consent does not affect the legitimacy of our use of your data prior to when you declared it and that we may still be allowed to keep using your data based on another legal permission such as legitimate interest).

If our communication relates (or should lead) to a contractual relationship between us and contains data that is necessary to perform our contractual duties, we will collect, store, and use such data based on this necessity (see Article 6 Section 1 Letter b of the General Data Protection Regulation). In that case, we will also store your data to comply with our legal retention obligations (see Article 6 Section 1 Letter c of the General Data Protection Regulation in combination with Paragraph 257 Section 1 of the Handelsgesetzbuch and Paragraph 147 Section 1 of the Abgabenordnung).

Where none of the other applies, we may also collect, store, and use your data based on our legitimate interest (see Article 6 Section 1 Letter f of the General Data Protection Regulation) in communication with (possible) attendees, contractors, or other persons of interest. Our interest is legitimate because its ultimate objective (our conference) is recognised by law. Your data is necessary, because communication would be impossible without it. Considering that we will use data that you yourself have provided (either as contact details or in your messages) and that we will not disclose our communication to others (except with your permission or for legal reasons), the use of your data will only be a minor interference with your fundamental rights and freedoms so that our legitimate interest will prevail.

If we make your personal data accessible to others (such as legal representation, courts, or authorities) in order to comply with a legal obligation, pursue our legal claims, or defend ourselves against the legal claims of others, we will do so either based on our legal obligations (see Article 6 Section 1 Letter c of the General Data Protection Regulation) or our legitimate interests (see Article 6 Section 1 Letter f of the General Data Protection Regulation). Our interest is legitimate because we are entitled to seek legal redress or defend ourselves against legal claims if necessary. To do so, it might be necessary to make your data accessible to others if it serves as evidence or contains any other information that might be material to the case. Since we will disclose your data only to other parties that are themselves legally bound to secrecy, such use of your data constitutes only a minor interference with your fundamental rights and freedoms, so that our legitimate interest prevails.

2.4 For how long we will store your data

Whenever we have no obligation or other reasons to store your data, we will keep it until your request is answered, you answered our request, or until the circumstances suggest that you do not want further communication.

If we store your data to comply with our legal retention obligations, we will keep it for six years. And if we store your data because it is necessary to pursue our legal claims or defend ourselves against the legal claims of others, we will keep it until the statute of limitation expires or until the conclusion of any administrative or judicial proceeding.

Since the retention period depends highly on the circumstances under which a communication takes place as well as on its content, please do not hesitate to ask us if you want to know how long we will (have to) store your messages and the data in them!

2.5 Whether we will disclose your data to others

We will usually not make your data available to others. Only if we are legally required or have legitimate reasons to do so, we will disclose your data to third parties such as legal representation, courts, authorities, or law enforcement.

2.6 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

2.7 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data. Some of your data (such as your name and address) will be a prerequisite for entering into a contractual relationship with us.

2.8 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

2.9 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

2.10 Your right to object

You may also object to the use of your data based on personal grounds relating to your particular situation. If you do, we will stop using your data unless we can claim a legitimate interest that overrides the reasons for your objections or your data is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Please contact us whenever you wish to object to the use of your data! Although there are no formal requirements as to how you can (and cannot) object, we’d like to encourage you to do it in writing.

3. Pre-Registration

When you pre-register for our conference, we will collect, store, and use your email address and your areas of interest. We may receive your pre-registration electronically or on paper and will process it accordingly.

3.1 Why we use your data

We will collect, store, and use your data to keep you updated and to notify you once registration opens.

3.2 Which of your data we are using

We will collect, store, and use:

3.3 Why we’re allowed to use your data

We collect, store, and use your data with your consent (see Article 6 Section 1 Letter a of the General Data Protection Regulation), which you may withdraw at any time without providing your reasons (please note that the withdrawal of your consent does not affect the legitimacy of our use of your data prior to when you declared it and that we may still be allowed to keep using your data based on another legal permission such as legitimate interest).

3.4 For how long we will store your data

We will store your data until you withdraw your consent or until our conference is concluded on October 8th, 2025.

3.5 Where we store your data and how

We store pre-registration data electronically in our systems and, where submitted on paper, in physical files. Paper records are kept in locked storage with access restricted to authorised persons until the data has been securely transferred into our electronic systems. Once the transfer has been completed, the paper records will be destroyed. Electronic records are protected by appropriate technical and organisational measures.

3.6 Whether we will disclose your data to others

We will not make your data available to others.

3.7 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

3.8 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data and your data is no prerequisite for entering into a contractual relationship with us.

3.9 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

3.10 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

4. Registration

When you register for our conference, we will collect, store, and use information for your accommodation and to you contact you, including your email address. We may receive your registration electronically or on paper and will process it accordingly.

4.1 Why we use your data

We will collect, store, and use your data to register you for the conference, to ensure your accommodation at the venue, and to keep you updated.

4.2 Which of your data we are using

We will collect, store, and use:

4.3 Why we’re allowed to use your data

We collect, store, and use your data based on contractual necessity (Article 6 Section 1 Letter b of the General Data Protection Regulation).

4.4 For how long we will store your data

We will store your data until November 6th, 2025 which is one month after our conference is concluded.

4.5 Where we store your data and how

We store registration data electronically in our systems and, where submitted or created on paper, in physical files. Paper records are kept in locked storage with access restricted to authorised persons until the data has been securely transferred into our electronic systems. Once the transfer has been completed, the paper records will be destroyed. Electronic records are protected by appropriate technical and organisational measures.

4.6 Whether we will disclose your data to others

Besides the venue hotel who needs your information to accommodate for your stay, we will not make your data available to others.

4.7 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

4.8 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data. Some of your data (such as your email address, legal name and postal address) will be a prerequisite for entering into a contractual relationship with us.

4.9 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

4.10 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

5. Membership in the Association

When you apply as member for our Open Security Community e. V. association, we will collect, store, and use information to manage your membership and to you contact you, including your email address. We may receive your membership application electronically or on paper and will process it accordingly.

5.1 Why we use your data

We process the personal data of our members for the administration of membership and for collecting membership fees via SEPA direct debit or bank transfer. In addition, this data is used for internal communication with members and for fulfilling legal obligations towards competent authorities (such as public authorities, courts, or notaries).

5.2. Which of your data we are using

We will collect, store, and use:

5.3 Why we’re allowed to use your data

The processing of member data is based on Art. 6(1)(b) GDPR (performance of the membership contract) and Art. 6(1)(c) GDPR (compliance with legal obligations). In addition, we rely on Art. 6(1)(f) GDPR where processing is necessary to safeguard the legitimate interests of the association (e.g. for effective internal communication).

5.4 For how long we will store your data

Personal data of members is stored for the duration of active membership. After termination of membership, the data will be deleted as soon as it is no longer required for the purposes mentioned and no statutory retention periods prevent deletion. Statutory retention obligations - for example under tax law - are typically 10 years and will be observed in such cases.

5.5 Where we store your data and how

Member data is stored on the association’s own computers and servers (Nextcloud). For communication purposes, we use Proton Mail as external email provider and the transfer of emails is encrypted. No processing takes place outside the European Union. Special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) are not processed in connection with association membership.

5.6 Whether we will disclose your data to others

Within the association, only those persons who need access to member data for the purposes mentioned above have access. Personal data is only passed on to external parties within the scope of legal obligations or legitimate requests (e.g. to supervisory authorities, courts, or notaries, if required by law).

5.7 Whether there will be recipients outside of the European Union

We will not make your data available to recipients that are international organisations or are situated outside of the European Union.

5.8 Whether you have to provide your data

You’re neither legally nor contractually obligated to provide us with your data. Some of your data (such as your email address, legal name, postal address, date of birth and bank account details) will be a prerequisite for entering into a contractual relationship with us.

5.9 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

5.10 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

6. Handling of Incidents and Compliance Reports

If an incident occurs during the conference (for example a report of non-compliance with our Code of Conduct, such as harassment or other misconduct), we will collect, store, and use all data necessary to investigate and handle the case.

6.1 Why we use your data

We will collect, store, and use personal data to investigate the reported incident, to take appropriate action (such as sanctions or exclusion from the conference), and to comply with any legal obligations that may arise.

6.2 Which of your data we are using

Depending on the case, we may collect, store, and use:

6.3 Why we’re allowed to use your data

We process this data based on our legitimate interest (Article 6 Section 1 Letter f GDPR) in ensuring a safe conference environment and enforcing our Code of Conduct. Where necessary to comply with legal obligations, processing is also based on Article 6 Section 1 Letter c GDPR. If the report includes special categories of personal data (such as health data), processing will be based on Article 9 Section 2 Letter f GDPR (establishment, exercise, or defence of legal claims).

6.4 For how long we will store your data

We will store your data for as long as necessary to handle the incident and any related proceedings. If legal obligations require longer storage (for example to comply with statutory limitation periods), we will keep the data until those obligations are met. Data that is no longer needed will be securely deleted.

6.5 Where we store your data and how

Incident data is stored electronically in secure systems and, where initially collected on paper, in locked storage accessible only to authorised persons until transfer to our electronic systems is completed. Paper records will then be destroyed. All electronic records are protected by appropriate technical and organisational measures.

6.6 Whether we will disclose your data to others

We will treat all reports confidentially. Data may be disclosed only to those within the organisation who are responsible for handling compliance cases, and, where necessary, to external advisors (such as legal counsel) or competent authorities.

6.7 Whether there will be recipients outside the European Union

We will not make your data available to recipients that are international organisations or are situated outside the European Union.

6.8 Whether you have to provide your data

You are not legally obligated to provide data in this context. However, without sufficient information, we may be unable to investigate or resolve the reported incident.

6.9 Whether we make automated decisions or create profiles

We will not use your data to make automated decisions or to create profiles.

6.10 These are your rights

Access (Article 15 of the General Data Protection Regulation): You are entitled to ask us whether, and if we do, why and how we are using your data. You may also request a copy of your data.

Rectification and supplementation (Article 16 of the General Data Protection Regulation): Whenever your data is inaccurate or incomplete, you are entitled to have it rectified or your missing data supplemented.

Deletion (Article 17 of the General Data Protection Regulation): You may have your data deleted if

Please be aware that we may, at least under certain circumstances, legitimately refuse to delete your data, for example when we need your data to either pursue our legal claims or defend ourselves against the legal claims of others. Whenever we refuse to delete your data, we will notify you and disclose our reasons.

Restriction of processing (Article 18 of the General Data Protection Regulation): Whenever you

you may (instead of deletion) request that we restrict the use of your data until we can verify your claim or you lift the restriction. When you request the restriction of your data’s use, we will be allowed to keep storing it, but we will not use it unless it is necessary to pursue our legal claims or defend ourselves against the legal claims of others.

Data portability (Article 20 of the General Data Protection Regulation): You may request that we hand out your data as a parsable file (for example as CSV).

Please contact us whenever you wish to exercise one of these rights! Although there are no formal requirements as to how you can (and cannot) exercise your rights, we’d like to encourage you to do it in writing. If you like, you can also use one of the templates provided by the German federal data protection authority.

C. Your right to file a complaint

In case you presume that we have violated your privacy rights, you may file a complaint with the data protection authority in the European Union member state where you live, work, or where the supposed violation of your rights happened. The German federal data protection authority provides further information on the competent authorities and how to contact them.

We respect your privacy rights and to not want to limit them in any way! However, we kindly ask you to contact us before you file a complaint against us.


Privacy notice kindly contributed by Raphael Albert.