Privacy Policy

With the following privacy policy, I would like to inform you about what types of your personal data (hereinafter referred to as "data") I process for which purposes and to what extent. This privacy policy applies to all personal data processing activities carried out by me, both in the context of providing my services and, in particular, on my websites, in mobile applications, and within external online presences, such as my social media profiles (hereinafter collectively referred to as "online offering").
Date: May 29, 2024

Responsible Party under Article 13 GDPR

Johannes Schmülling
Director of Photography
Deutz-Mülheimer Str. 274
D-51063 Cologne

+49 170 979 6000
hey@johannesschmuelling.de

Types of Data Processed

Inventory data (e.g., names, addresses).
Content data (e.g., text input, photographs, videos).
Contact data (e.g., email, phone numbers).
Meta/communication data (e.g., device information, IP addresses).
Usage data (e.g., visited websites, interest in content, access times).
Contract data (e.g., contract subject, duration, customer category).
Payment data (e.g., bank details, invoices, payment history).

Categories of Data Subjects

Business and contractual partners.
Interested parties.
Communication partners.
Users (e.g., website visitors, users of online services).

Purposes of Processing

Provision of my online offering and user-friendliness.
Evaluation of visitor actions.
Office and organizational procedures.
Direct marketing (e.g., via email or postal mail).
Interest-based and behavioral marketing.
Contact requests and communication.
Profiling (creating user profiles).
Remarketing.
Reach measurement (e.g., access statistics, recognition of returning visitors).
Security measures.
Tracking (e.g., interest/behavior-based profiling, use of cookies).
Contractual services and support.
Management and response to inquiries.

Security Measures

In accordance with legal requirements, I take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the data concerning access, input, transfer, ensuring availability, and separation. Furthermore, I have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Additionally, I take the protection of personal data into account during the development or selection of hardware, software, and procedures, following the principle of data protection through technology design and through data protection-friendly default settings.

SSL or TLS Encryption (https): To protect your data transmitted via my online offering, I use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Server Location in Germany: Data you transmit to me (e.g., in the form of an email) is mostly stored and processed within the European Union.

Disclosure of Personal Data

In the course of processing personal data, it may occur that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them. The recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers entrusted with IT tasks, or providers of services and content that are integrated into a website. In such cases, I comply with the legal requirements and conclude corresponding data processing agreements that serve to protect your data with the recipients of your data.

Commercial and Business Services

I process data of my contractual and business partners, such as customers and interested parties (collectively referred to as "contractual partners") within the context of contractual and comparable legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractually), e.g., to answer inquiries.

I process this data to fulfill my contractual obligations, to secure my rights, and for the purposes of the administrative tasks associated with this information and the business organization. I only disclose the data of contractual partners to third parties within the framework of the applicable law to the extent necessary for the aforementioned purposes or to fulfill legal obligations or with the consent of the contractual partners (e.g., to involved telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Further processing forms, e.g., for marketing purposes, are informed to the contractual partners within the scope of this privacy policy.

I inform the contractual partners which data is required for the aforementioned purposes before or in the course of data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks), or personally.

I delete the data after the expiration of legal warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as they have to be retained for legal reasons (e.g., for tax purposes usually 10 years). Data disclosed to me by the contractual partner in the course of an order will be deleted in accordance with the specifications of the order, generally after the end of the order.

To provide my services, I use third-party providers or platforms. In the relationship between users and the providers, the terms and conditions and privacy notices of the respective third-party providers or platforms apply.

Artistic and Literary Services: I process the data of my clients to enable them to select, acquire, or commission the chosen services or works as well as related activities and their payment and delivery or execution or performance.

The required information is identified as such within the scope of the order, purchase, or comparable contract conclusion and includes the information required for delivery and billing as well as contact information to be able to hold any consultations.

Types of Data Processed: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., contract subject, duration, customer category).
Data Subjects: Interested parties, business and contractual partners.
Purposes of Processing: Contractual services and support, contact requests and communication, office and organizational procedures, management and response to inquiries.
Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sent. 1 lit. b. GDPR), legal obligation (Art. 6 para. 1 sent. 1 lit. c. GDPR), legitimate interests (Art. 6 para. 1 sent. 1 lit. f. GDPR).

Contact

When contacting me, for example, by email, phone, or via Instagram, the information of the requesting persons is processed to the extent necessary to respond to the contact requests and any requested measures.

Responding to contact requests in the context of contractual or pre-contractual relationships is carried out to fulfill my contractual obligations or to respond to (pre)contractual inquiries and otherwise based on the legitimate interests in responding to the inquiries.

Types of Data Processed: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text input, photographs, videos).
Data Subjects: Communication partners.
Purposes of Processing: Contact requests and communication.
Legal Basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sent. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sent. 1 lit. f. GDPR).

Provision of the Web Offering

To provide my online offering securely and efficiently, I use the services of multiple web hosting providers from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, I can use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.

The data processed in the context of providing the hosting offering can include all user information of my online offering that is generated in the course of usage and communication. This regularly includes the IP address, which is necessary to deliver the contents of online offerings to browsers, and all entries made within my online offering or from websites.

Email Sending and Hosting: The web hosting services I use also include the sending, receiving, and storing of emails. For these purposes, the addresses of the recipients and senders, as well as further information concerning the email sending (e.g., the involved providers) and the contents of the respective emails, are processed. The aforementioned data may also be processed for spam detection purposes. Please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but (if no so-called end-to-end encryption method is used) not on the servers from which they are sent and received. Therefore, I cannot take responsibility for the transmission path of the emails between the sender and the reception on my server.

Collection of Access Data and Log Files: I (or my web hosting provider) collect data on every access to the server (so-called server log files). The server log files can include the address and name of the retrieved websites and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks) and on the other hand, to ensure the utilization of the servers and their stability.

Content Delivery Network: I use a "Content Delivery Network" (CDN). A CDN is a service that helps to deliver content of an online offering, especially large media files, such as graphics or program scripts, faster and more securely using regionally distributed and internet-connected servers.

Types of Data Processed: Content data (e.g., text input, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of the website (web hosting) and accelerated delivery of the website via a Content Delivery Network (CDN).
Used Services and Service Providers:

Web Hosting
Serverprofis GmbH,
Mondstr. 2-4,
D-85622 Feldkirchen,
Germany
Website: https://www.serverprofis.de;
Privacy Policy: https://www.serverprofis.de/datenschutz/

Content Delivery Network (CDN)
BUNNY CDN, BunnyWay d.o.o.,
Cesta komandanta Staneta 4A,
1215 Medvode, Slovenia;
Website: https://bunny.net/
Privacy Policy: https://bunnycdn.com/privacy;

Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f. GDPR).

Matomo (Cookieless Tracking)

I use Matomo, an open-source software for the statistical analysis of visitor access. Matomo does not use cookies. Instead, tracking is implemented server-side. The IP address is anonymized by 2 bytes (e.g., 192.168.xxx.xxx), making a unique assignment impossible. The data is hosted on promise within the European Union. The legal basis for the use of Matomo is my legitimate interest according to Art. 6 para. 1 lit. f GDPR.

You have the option to prevent actions you take here from being analyzed and linked. This will protect your privacy but will also prevent the owner from learning from your actions and improving the usability for you and other users.

Social Networks

I maintain online presences (see instagram.com/johannesschmuelling) within social networks to communicate with the users active there or to offer information about me there.

I point out that data of users may be processed outside the European Union. This may pose risks for users because it could make it more difficult to enforce users' rights. With regard to US providers certified under the Privacy Shield or offering comparable guarantees of a secure data protection level, I point out that they are thereby committed to complying with EU data protection standards.

Furthermore, user data is generally processed for market research and advertising purposes within social networks. For example, usage profiles can be created based on user behavior and the resulting interests of users. The usage profiles can in turn be used to place advertisements within and outside the networks that presumably correspond to the interests of users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (especially if the users are members of the respective platforms and logged in to them).

For a detailed presentation of the respective processing forms and the opt-out options, I refer to the privacy statements and information of the operators of the respective networks.

Also, in the case of information requests and the assertion of data subject rights, I point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can take appropriate measures directly and provide information. If you still need help, you can contact me.

Types of Data Processed: Inventory data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., text input, photographs, videos), usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
Data Subjects: Users (e.g., website visitors, users of online services).
Purposes of Processing: Contact requests and communication, tracking (e.g., interest/behavior-based profiling, use of cookies), remarketing.
Legal Basis: Legitimate Interests (Art. 6 para. 1 sent. 1 lit. f. GDPR).

Used Services and Service Providers:

Instagram: Social Network; Service Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.

Deletion

The data processed by me will be deleted in accordance with legal requirements as soon as their permitted consents are revoked or other permissions cease to apply (e.g., if the purpose of the processing of this data ceases to apply or they are not necessary for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or to protect the rights of another natural or legal person.

Your Rights

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 GDPR:

Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.
Right to Withdraw Consent: You have the right to withdraw consent at any time.
Right of Access: You have the right to obtain confirmation as to whether or not data concerning you are being processed, and, where that is the case, access to the data and additional information and a copy of the data in accordance with legal requirements.
Right to Rectification: You have the right to obtain the rectification of inaccurate data concerning you or the completion of incomplete data concerning you in accordance with legal requirements.
Right to Erasure and Restriction of Processing: You have the right to demand the immediate deletion of data concerning you or, alternatively, to demand restriction of processing of the data in accordance with legal requirements.
Right to Data Portability: You have the right to receive the data concerning you, which you have provided to me, in a structured, commonly used, and machine-readable format, or to demand its transmission to another controller in accordance with legal requirements.
Right to Lodge a Complaint with a Supervisory Authority: You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Supervisory Authority Responsible for Me:

State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Phone: +49 211/38424-0
Fax: +49 211/38424-10
Email: poststelle@ldi.nrw.de

Changes and Updates to the Privacy Policy

I ask you to regularly inform yourself about the content of my privacy policy. I adapt this as soon as the changes in the data processing carried out by me make this necessary. I will inform you as soon as changes require your participation (e.g., consent) or other individual notification. If you have any further questions, please feel free to contact me.