Privacy policy

We are glad about your interest in our offer. With this privacy policy, we’d like to inform you about the nature, scope and purpose of the personal data processed by us, on the websites https://cemas.io/ and https://report.cemas.io as well as their subdomains (hereafter only “website”), and your rights as a data subject.

I. General

1. Controller

The controller responsible for data processing pursuant to Art. 4 No. 7 GDPR is CeMAS - Center für Monitoring, Analyse und Strategie gGmbH, Konstanzer Straße 15A, D-10707 Berlin (hereafter referred to as “we” or “us”), unless otherwise stated in this Privacy Policy.

2. Contact details

Please contact us at any time at the following contact details if you have any questions or suggestions regarding data protection and the enforcement of your rights as a data subject:

CeMAS - Center für Monitoring, Analyse und Strategie gGmbH
Konstanzer Straße 15A
D-10707 Berlin

Email address: info@cemas.io

The PGP fingerprint for secure communication is:
47C7 FF17 8189 7E0C AAEA  EF10 18AD 4562 7060 B98A
 PGP key

You can reach our data protection officer by email at the address:

JBB Data Consult GmbH
Friedrichstraße 95, 10117 Berlin

Email address: datenschutz@cemas.io

3. Browsing our website

Purposes: In principle, you can use our website without providing personal data. However, some technical data is generated during use, which may be considered as personal data, especially your IP addressto identify you. When you visit our website, we also store this data in so-called log files. A log file consists of

  • IP address of the requesting computer
  • Date and time of access
  • Name and the URL of the retrieved file
  • The website from which you access the file
  • The browser and browser version you use

The processing of your IP address during the connection is done so that we can provide you with our website. The storage of log files serves to ensure the security and integrity of our systems.

Recipient: The processing of the aforementioned data is carried out on our instructions by our web host Host Europe GmbH, Friesenplatz 4, 50672 Cologne, Germany. The aforementioned data is transferred to a Host Europe server and stored there. The processing is governed by an agreement with Host Europe in accordance with Art. 28 GDPR.

Legal basis: The processing of the data is based on Art. 6 (1) (f) GDPRO. Our legitimate interest lies in the previously mentioned purposes.

Storage period: Our log files are stored for 3 months.

4. Contacting us via email

Purposes: You can contact us via email. In the course of our communication, we process your email address and all information that you send us with your message. We process your personal data to answer your inquiry.

Legal basis: The legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the aforementioned purpose.

Storage period: We delete the data processed for this purpose 12 months after termination of active communication with you.

5. Formspree contact form

Purposes: On our website you can reach us via contact form. We use the service Formspree Inc, 309 E 21st St, Rm 3331, Austin, Texas, 78705, United States (“Formspree”). You can especially use our contract form for general inquiries and requests regarding our events. When using the contact form, we process the following information:

  • Last name & first name (optional)
  • Email address
  • Subject

Furthermore, we process all information that you send us with your message via the contact form. We use Formspree to check the entered information for spam, to transfer it to our email provider and finally to receive your message.

Recipients: If you use our contact form, then your data will be transmitted to our email provider via Formspree’s API on our instruction (Art. 28 GDPR). At Formspree, the data is not stored permanently.

Legal basis: The processing of your personal data when replying to your message is done exclusively to answer your request. The legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the aforementioned purpose.

Storage period: If you contact us via our contact form, we store your data for a period of 12 months after the end of our communication and then delete the data immediately.

6. Newsletter

Purposes: If you are interested in our expertise and services, you may wish to subscribe to our newsletters. To subscribe, you can use the form on our website. We will then process your data to send you the email newsletter.

Recipients: The processing is carried out on our instructions by Intuit Mailchimp, the Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have also included the respective SCCs (https://mailchimp.com/legal/Controller-Processor-SCC-2021/) of the European Union with Mailchimp into our data processing agreement: https://mailchimp.com/de/legal/data-processing-addendum/ in order to establish an appropriate level of data protection.

Legal basis: The legal basis for this data processing is your consent pursuant to Art. 6 (1) (a) GDPR.

Right of withdrawal: You can withdraw your consent for future processing at any time by contacting us at the address info@cemas.io or using the unsubscribe link in one of the messages sent.

Storage period: Your data will no longer be used for mailing purposes after you revoke your consent, but we will retain your opt-in data for a further 3 years after revocation for verification purposes and to enable us to defend ourselves against any legal claims.

7. Twingle donation form

Purposes: On our website you can donate to us via the form of twingle GmbH, Prinzenallee 74, 13357 Berlin (twingle). To donate to us, you need to enter some information in the form:

  • Donation amount
  • Interval of donation
  • Own or gift donation
  • Payment method
  • IBAN (optional)
  • Surname, First name (optional)
  • Email address (optional)
  • Phone number (optional)

We then use this data to make the donation and issue a donation receipt if requested.

Recipients: The processing of the data is carried out on our behalf by twingle. We have concluded a data processing agreement with twingle in accordance with Art. 28 GDPR. We remain responsible for the described processing of your personal data.

Legal basis: Your data is processed to receive and process your donation. The legal basis is Art. 6 (1) (f) GDPR.

Storage period: Your booking data from the entries in the donation form are processed for the statutory retention periods and then deleted.

8. Job Application

Purposes: If you wish to work with us, you can apply for vacancies or on your initiative. We will then process your information to assess your application and decide whether we can offer you a job.

Recipients: Your application will be viewed and assessed internally by the competent persons.

Legal basis: The legal basis for the processing is Section 26 (1) of the German Federal Data Protection Act (BDSG).

Storage period: We process your data for the above-mentioned purposes until a decision is made about your employment. We then retain your data for a period of 6 months for the purpose of defending against any legal claims.

Purposes: We are subject to statutory retention obligations for certain documents. These documents may also contain personal data, for example if they are contracts, invoices, donation receipts or business letters. The storage obligations result from § 257 of the German Commercial Code (HGB)and § 147 of the German Tax Code (AO). Documents subject to retention are:

  • Books and records, inventories, annual financial statements, individual financial statements pursuant to Section 325 (2a) of the German Commercial Code (HGB), consolidated financial statements, management reports, group management reports, the opening balance sheet as well as the operating instructions and other organizational documents required for their understanding, accounting documents, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code.
  • Received commercial or business letters, copies of sent commercial or business letters, other documents, as far as they are relevant for taxation.

Recipients: We may disclose this information to auditors, consultants or other persons or authorities charged with auditing our accounts.

Legal basis: The legal basis for this processing is Art. 6 (1) (c) GDPR in conjunction with those laws, which order that we must keep the records respectively.

Storage period: Specifically, the following documents are to be retained by us for the specified period:

  • For 10 years: books and records, inventories, annual financial statements, individual financial statements pursuant to Section 325 (2a) HGB, consolidated financial statements, management reports, group management reports, the opening balance sheet as well as the operating instructions and other organizational documents required for their understanding, accounting documents, documents pursuant to Article 15 (1) and Article 163 of the Union Customs Code.
  • For 6 years: received commercial or business letters, copies of sent commercial or business letters, other documents, as far as they are relevant for taxation.

The respective retention period begins at the end of the calendar year in which the last entry in the accounting records, inventory, opening balance sheet, annual financial statements or management report, received or sent commercial or business letter, prepared accounting record, prepared record or other documents were prepared.

10. Visiting our social media profiles

We maintain profiles on social media networks. Our social media accounts complement our website and offer you the opportunity to interact with us on the networks. Once you access our social media profiles on the social networks, the terms and conditions and data processing policies of the respective social network operators apply. The data collected about you when using the services is processed by the networks and may also be transferred to or processed in countries outside the European Union where there is no adequate level of protection for the processing of personal data.

We have no influence on the data processing in the social networks, since we, like you, are users of the network. Further information, especially what data is processed by the social networks and for what purposes the data is used can be found in the privacy policy of the respective network listed below. We use the following social networks:

a) Twitter

Our site is available at: https://twitter.com/cemas_io
The operator of the network is: Twitter International Unlimited Company, One Cumberland Place, Fenian Street AX07 IRELAND Dublin 2, D02
Privacy policy of the network: https://twitter.com/de/privacy

b) Instagram

Our site is available at: https://www.instagram.com/cemas_io/
The operator of the network is: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
Privacy policy of the network: https://privacycenter.instagram.com/

c) Bluesky

Our site is available at: https://bsky.app/profile/cemas.io
The operator of the network is: Bluesky Social, PBC, 113 Cherry St, #24821 Seattle, WA 98104, USA.
Privacy policy of the network: https://bsky.social/about/support/privacy-policy

d) Mastodon

Our site is available at: https://mastodon.social/@cemas_io
The operator of the instance is: Mastodon gGmbH, Mühlenstraße 8a, 14167 Berlin, Germany
Privacy policy of the instance: https://mastodon.social/privacy-policy

e) Processing on Social Networks and Joint Control

Purposes: We process personal data as a (separate) data controller when you send us requests via the social media profiles. We process this data to respond to your requests.

In addition, we are joint controllers with the following networks and for the following processing operations (Art. 26 GDPR).

  • As part of visiting our profile on the LinkedIn network, the network collects aggregated statistics (“Insights Data”) created from certain events logged by their servers when you interact with our profiles and related content. We receive these aggregated and anonymous statistics from the network about our profile usage. We are generally not able to attribute the data to specific users. To a certain extent, we can determine the criteria according to which the network creates these statistics for us. We use these statistics to make our profiles more interesting and informative for you.

For more information on this data processing, please refer to the Joint Controller Agreement at: https://legal.linkedin.com/pages-joint-controller-addendum. Otherwise, the network is solely responsible for the processing of your data.

Legal basis: The processing is based on our legitimate interest in doing so (Art. 6 para. 1 lit. f GDPR). The interest lies in the respective purpose.

Storage period: We do not store any personal data ourselves within the scope of joint responsibility. With regard to contact requests outside the network, the information provided above on contacting us applies accordingly.

II. Storage and/or retrieval of information from a terminal device

When you use our site, information may be stored on your terminal device or information already stored on it may be accessed if this is absolutely necessary for our offer and we cannot otherwise provide the service (Section 25 (2) TTDSG). Otherwise, we will only store information on your terminal device or access information already stored on it if you have given us your prior informed consent.

III. Recipient categories

Unless explicitly stated otherwise in this privacy policy, only persons within our company have access to your personal data. Furthermore, these persons must be responsible for processing the requests and have appropriate access to the IT system. In addition, we only use external service providers, apart from those explicitly mentioned, insofar as we cannot or cannot reasonably perform services ourselves. Data will only be transferred to countries outside the European Union if we inform you about such a transfer in this privacy policy.

IV. Data subject rights

The General Data Protection Regulation guarantees you certain rights that you can assert against us - insofar as the legal requirements are met.

Art. 15 GDPR - Right of access by the data subject:

You have the right to request confirmation from us as to whether personal data relating to you is being processed and, if so, what that data is and the circumstances under which it is being processed.

Art. 16 GDPR - Right to rectification:

You have the right to demand that we correct any inaccurate personal data relating to you without undue delay. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data - also by means of a supplementary statement.

Art. 17 GDPR - Right to erasure:

You have the right to demand that we delete personal data concerning you without delay.

Art. 18 GDPR - Right to restriction of processing:

You have the right to demand that we restrict processing.

Art. 20 GDPR - Right to data portability:

You have the right, in the case of processing based on consent or for the performance of a contract, to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and to transfer this data to another controller without hindrance from us, or to have the data transferred directly to the other controller, insofar as this is technically feasible.

Art. 21 GDPR - Right to object:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary for a legitimate interest on our part or for the performance of a task carried out in the public interest, or which is carried out in the exercise of official authority.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

Insofar as we process your personal data for the purpose of direct marketing, you have the right to object to the processing at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

Art. 77 GDPR in conjunction with § 19 BDSG – right to lodge a complain with a supervisory authority:

You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates applicable law. Insofar as you have given us consent, you have the right to revoke this consent at any time. This can be done by email to info@cemas.io. The lawfulness of the processing previously carried out is not affected by this.

V. Obligation to provide data

You have no contractual or legal obligation to provide us with personal data. However, without the data you provide, we may not be able to offer you all of our services.

VI. Existence of automated decision-making (including profiling)

In the course of a visit to our website, you will not be subject at any time to automated decision-making in the processing of personal data which would produce legal effects vis-à-vis you or which could affect you in any other way.

VII. Changes to this privacy policy

We may change this Privacy Policy from time to time. We will notify you of changes by posting them here or by other appropriate means.

Berlin, February 2023

Follow us on