The controller in the meaning of General Data Protection Regulation (GDPR) is:
VRtual X GmbH
Hegestraße 40
20251 Hamburg
x@vrtual-x.com
+49 40 32318846
Questions regarding data protection can also be addressed directly to our data protection officer:
Attorney David Heimburger
dh@davidheimburger.de
+49 40 22863648
We summarize here the general rights that you have under the GDPR with regard to your personal data processed by us. For an explanation of the legal terms, please refer to the applicable definitions in the GDPR (see Article 4). If anything remains incomprehensible, please do not hesitate to ask us.
Any form of processing of personal data requires a legal basis that allows us to do so. The legal basis primarily results from the purpose for which the data is processed. The lawfulness within a legal basis is regularly measured according to the specific scope of the data processing and the measures we have taken to protect your data.
Legal bases for data processing arise from Article 6(1) GDPR and for particularly sensitive data such as health data from Article 9(2) GDPR. These two regulations name the preparation or fulfilment of contractual, legal or also social obligations as the most important legal bases for data processing. In addition, many data processing operations are carried out in our legitimate interest, unless the interests of the data subjects prevail in view of the specific circumstances. If one of the aforementioned types of legal basis is relevant, the processing does not require any further consent from you.
In addition, data processing may be carried out on the basis of consent from you (Article 7 GDPR) or for persons under the age of 16 when using information society services (e.g. websites, online games, social media platforms) by the children or young people in conjunction with the consent of a parent or guardian (Article 8 GDPR).
We would like to expressly point out that none of our offers are aimed at persons under the age of 16.
In part, our obligation to ask for your consent does not, or not solely, result from the GDPR but from the stricter law under the EU ePrivacy Directive of 2002 (often called the “Cookie Directive”). The provisions of this directive apply in Germany via the German Telecommunication Telemedia Data Protection Act (TTDSG) and the Unfair Competition Act (UWG). We have taken into account the obligations arising from these laws without explicitly referring to them in the following.
If a data transfer to a state outside the European Economic Area (EEA) takes place, we ensure that data protection is secured in the sense of Articles 44 – 49 GDPR.
Cookies are text files that are stored by your browser on your device when you visit a website. Different information can be stored in a cookie. Sometimes a cookie only stores a yes or no (“true” or “false”), sometimes a string of characters is stored that enables the browser to be uniquely identified when the website is called up again (a so-called cookie ID).
The right to set cookies is not only determined by the GDPR, but also by the EU ePrivacy Directive and Section 25 TTDSG. The TTDSG distinguishes between cookies that are strictly necessary to provide a information society service (essential cookies) and those that are not. Essential cookies may also be set without consent, but non-essential cookies always require consent – even if this is not required under the GDPR (e.g. there is a legitimate interest as a legal basis).
Before we store non-essential cookies on your terminal device, we ask for your consent in accordance with the requirements of the ePrivacy Directive.
The purpose of each cookie and the legal basis for its use according to the GDPR can be seen from the following description of the single means of data processing.
There are various ways for you to prevent the acceptance of cookies on your device:
Description: In order for a web server to make our website available to your browser, the server must collect technical data about the device you are using, your browser and your internet access. This is referred to as a log file or weblog. This is the same data that you necessarily leave behind with every internet page that you call up. At the centre is the IP address from which you call up our pages. The web server sends the data you want to see to this internet address.
Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of Internet browser; type and version of operating system.
Data recipient (if applicable, third country transfer): Our hosting service provider, who is bound to data protection via an order processing agreement, is located in the EEA. In the event of attacks on our pages, data is passed on to forensic experts and investigating authorities commissioned by us. A transfer to third countries does not take place.
Purpose + legal basis: Provision of our website as well as investigations should unlawful access to our websites occur (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our website, we have a legitimate interest in being able to provide investigators with evidence of how the attack took place.
Storage period: 7 days
Description: For all cookies requiring consent, we ask for your consent before storing them in your browser cache. The decisions you make will in turn be stored in a cookie on your device so that we do not have to ask for your consent again when you visit our website next time. You can revise your decision at any time by deleting the corresponding cookie from your device via your browser settings.
Data categories: Consent status (Yes/No)
Data recipient (if applicable, third country transfer): None
Purpose + legal basis: Legally compliant consent management for cookies. Legal basis is a legitimate interest, as saving the cookie decision only slightly restricts the rights of visitors and at the same time simplifies the use of the pages on repeated visits. This cookie may also be set without your consent according to § 25 TTDSG, as the cookie choice is to be considered an essential function.
Storage period: Until the corresponding cookie is deleted from your browser cache or until the expiry date of the cookie is reached
Description: We show films via a video player from Vimeo. When you call up a page equipped with a Vimeo player, a connection is established to the Vimeo servers. This tells Vimeo which of our pages you have visited and which film you have watched. We use Vimeo in do-not-track mode, so that no cookies are set by Vimeo in your browser.
You can find further information on the handling of your data in the Vimeo data protection declaration: https://vimeo.com/privacy
Data categories: IP address from which our site was accessed; date and time of access; films accessed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system
Data recipient (if applicable, third country transfer): Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA. The data collected by Vimeo is transferred to servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.
Purpose + legal basis: We use the Vimeo player to provide you with powerful video streaming. The legal basis for the data transfer to Vimeo is a legitimate interest, as we use Vimeo in do-not-track mode.
Storage period: The storage period is the responsibility of Vimeo.
Description: Our website shows films via a video player from YouTube, a subsidiary of Google. When you access a page equipped with a YouTube player, a connection to YouTube’s servers is established and cookies from Google are set in your browser. This tells Google which of our pages you have visited and which film you have watched. Google sets the following cookies via the YouTube player, for example: CONSENT, GPS, Visitor_Info1_Live, YSC, IDE.
We do not receive any data about your usage behaviour from Google with regard to this data collection.
If you are logged into your YouTube or Google account while visiting our site, you enable Google to associate your usage behaviour directly with your personal profile. You can prevent this by logging out of your account.
For more information on how your data is handled, please refer to Google’s privacy policy at https://www.google.de/intl/de/policies/privacy.
Data categories: IP address from which our site was accessed; date and time of access; films accessed; sharing functions used to recommend the film; type and version of internet browser; type and version of operating system; Google ID stored in cookies
Data recipient (if applicable, third country transfer): Google LLC, for us as a European organisation contactable via Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected as part of the YouTube application is transferred to Google servers in the USA and processed there. The resulting data transfer outside the EEA is secured by the conclusion of EU standard data protection clauses.
Purpose + legal basis: We use the YouTube player to provide you with powerful video streaming. The legal basis for the data transfer to Google is your cookie consent for the YouTube player.
Storage period: Google is responsible for the storage period.
Taking pictures with the Selfie X-Box
Description: The camera of the SelfieX box captures people standing in front of the box from the moment the touch screen is activated by touch. During the selection of the desired SelfieX portrait, the Box does not yet save any images or other forms of personal data.
A SelfieX portrait is saved when the corresponding button on the touch screen is tapped. The technology in the SelfieX box saves the portrait as it was displayed on the screen as a montage of the camera shot and the selected accompanying subject. The SelfieX portrait is stored on an Internet server via an SSL-encrypted connection and is available from there for downloading, which is also SSL-encrypted.
A QR code is displayed on the screen for a short time, which can be resolved as an Internet address via corresponding QR code readers. Most smartphones automatically offer the individual download page for the portrait when the smartphone camera is pointed at the QR code. Depending on the browser used, the image file is automatically offered for download into one’s own photo collection or this process can be started, for example, by tapping on the image for a longer period of time.
After downloading the file, the use of the image is the responsibility of the user. The person portrayed is responsible for ensuring that only he or she retrieves his or her QR code and, if necessary, saves it or independently passes it on to third parties or makes it public.
The image file is stored on the SelfieX server for 24 hours and then automatically deleted. After that, the download link leads nowhere. The storage takes place on a self-operated server in a German data centre. The image file is not passed on to anyone by the provider of the SelfieX box, unless criminal investigation authorities can prove corresponding rights of surrender.
Data categories: Image recording
Data recipient (if applicable, third country transfer): The hosting service provider for the server, which is obligated to data protection via a data processing agreement, and its data centre are located in Germany. A third country transfer does not take place. In the event of a lawful order to hand over the data, it will be passed on to the investigating authorities.
Purpose + legal basis: Provision of a photo box for self-portraits in connection (montage) with supplementary photo motifs. The legal basis is the fulfilment of a contract, as the SelfieX-Box is a service that is actively and specifically used by users to create and obtain selfie montages.
Storage period: 24 hours
Description: In order for the SelfieX server to be able to transfer the selfie to your browser (download), the server must collect technical data about your device used for this purpose, your browser and your internet access. This is called the logfile or weblog. This is the same data that you necessarily leave behind with every internet page that you call up. At the centre is the IP address from which you call up the pages. To this Internet address, the server sends you the data that you want to see or download.
Data categories: IP address from which our site was accessed; date and time of access; objects on our website accessed in the browser; type and version of internet browser; type and version of operating system.
Data recipient (if applicable, third country transfer): The hosting service provider for the server, which is bound to data protection via an data processing agreement, and its data centre are located in Germany. A third country transfer does not take place. In the event of attacks on our server, data is passed on to forensic experts commissioned by us. In the event of a lawful order to hand over the data, it will be passed on to the investigating authorities.
Purpose + legal basis: Provision of the download option as well as investigations in the event of unlawful access to our server (e.g. a hacker attack). Legal basis is a legitimate interest, as the operation of a website is not possible without the collection of the weblog. In the specific case of an attack on our server, we have a legitimate interest in being able to provide investigators with circumstantial evidence of how the attack took place.
Storage period: 7 days
For all other topics (e.g. direct communication with us, job applications, exchanges with business partners, our social media channels or our general infrastructure), please refer to our general data protection information at: https://vrtual-x.com/datenschutz
Last update: June 2021
