I. Name and address of the responsible party

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Montessori Nord gGmbH

Managing Director: Andreas Hagenkötter

Glockengießerstr. 9a

23552 Lübeck

Germany

Email: verwaltung(at)montessori-nord.de

Website: www.montessori-nord.de

II. General information on data processing

1. Scope of processing personal data

We generally process our users' personal data only to the extent necessary for providing a functional website and our content and services. The processing of our users' personal data regularly only occurs with the user's consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Where we obtain consent from the data subject for processing personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for taking steps prior to entering into a contract. Where processing personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis. In the event that processing personal data is necessary to protect the vital interests of the data subject or of another natural person, Article 6(1)(d) GDPR serves as the legal basis. If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis for the processing.

3. Data deletion and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this is provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned regulations expires, unless further storage of the data is necessary for the conclusion or performance of a contract.

III. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

(1) Information about the browser type and version used

(2) The user's operating system

(3) The user's Internet service provider

(4) The user's IP address

(5) Date and time of access

(6) Websites from which the user's system accessed our website

(7) Websites accessed by the user's system via our website

The data is also stored in our system's log files. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of the data and log files is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session.

The data is stored in log files to ensure the website's functionality. We also use the data for the technical optimization of the website and to ensure the security of our IT systems. The data is not used for marketing purposes. This constitutes our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR.

4. Storage duration

The data is deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session ends. In the case of data stored in log files, this is the case after a maximum of seven days. Storage beyond this period is possible. In this case, the users' IP addresses are deleted or anonymized so that it is no longer possible to identify the requesting client.

5. Right to object and have the matter removed

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Therefore, there is no possibility for the user to object.

IV. Use of cookies in the IONOS product MyWebsite Creator (current product generation)

Our website uses the IONOS website builder. IONOS uses the MyWebsite Creator product (current product generation). MyWebsite Creator uses technically necessary cookies by default. Cookies are text files that are stored in or by the web browser on the user's computer system. When a user visits a website, a cookie can be stored on the user's operating system. This cookie contains a unique string of characters that allows the browser to be uniquely identified when the website is visited again. MyWebsite Creator also uses tracking cookies based on Snowplow Analytics technology. This tool is used solely to improve the product. You can decide whether to allow these cookies in the MyWebsite Editor.

The following cookies are used:

1.     Website Editor

a. Purpose of processing: Editing and publication of the website

b. Categories of personal data: Content data, usage data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d. Datenempfänger: Duda Inc., Palo Alto, USA

2. Web space

a. Purpose of processing: Hosting the website

b. Categories of personal data: Content data, usage data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d. Data recipients: AWS - Amazon Web Services, data center Frankfurt, Germany; Amazon Web Services, Inc., Seattle WA, USA

3.     Content Delivery Network CDN

a. Purpose of processing: Storing website content for website visitors in multiple data centers to improve website loading time.

b. Categories of personal data: Content data, usage data

4. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

5. Data recipients: AWS - Amazon Web Services, data center Frankfurt, Germany; Amazon Web Services, Inc., Seattle WA, USA

6.     Online Business Card

a. Purpose of processing: Rapid publication of an online business card website. You can choose which information is displayed on this website. User data is sent to Google and Facebook to retrieve publicly available information. This data serves as the basis for the user's online business card.

b. Categories of personal data: contact details, usage data, content data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d.     Datenempfänger: Google LLC, Mountain View CA, USA                                                                                      Facebook, Menlo Park CA, USA

7.     Website Translator

a. Purpose of processing: When using the website translator for multilingual texts, MyWebsite sends the website's text content to Google Translate to translate the content into one or more other languages.

b. Categories of personal data: Content data, usage data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d. Data recipient: Google LLC, Mountain View CA, USA

8. Multi Location

a. Purpose of processing: MyWebsite uses the address data to place one or more markers on a map, so that the company/customer locations are displayed (directions). For this purpose, the product transfers the data to the map provider Mapbox. This happens automatically when the widget is added and with additional locations when they are added to the widget.

b. Categories of personal data: inventory data, content data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d. Data recipient: Mapbox, Washington DC, USA

9. Consent Management

a. Purpose of processing: Provision and operation of a consent management function for the website. Website visitors can use this function to grant consent for data processing and the setting of cookies, and to obtain information about the functions used and the use of the data.

b. Categories of personal data: inventory data, traffic data, usage data

c. Legal basis: Contract performance, Art. 6 para. 1 lit. b GDPR

d. Data recipient: Usercentrics GmbH, Munich, Germany

For further details, please also refer to the IONOS privacy policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/

V. Email Contact

1. Description and scope of data processing

You can contact us via the email address provided on our website. In this case, the personal data you transmit with your email will be stored. This data will not be shared with third parties. It will be used solely for processing your inquiry.

2. Legal basis for data processing

The legal basis for processing data when the user has given consent is Article 6(1)(a) GDPR. The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.

3. Purpose of data processing

The processing of personal data from email contact serves solely to process the contact request. In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

4. Storage duration

The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. For personal data transmitted by email, this is the case when the respective conversation with the user has ended. A conversation is considered ended when it is clear from the circumstances that the matter in question has been resolved.

5. Right to object and have the matter removed

The user has the right to withdraw their consent to the processing of their personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored during the contact process will be deleted.

VI. Youtube

1. Description and scope of data processing

We use components (videos) from Google on our website. Google is a Google company. Google transmits the information to Google servers in the USA. The transmitted data consists only of pseudonyms; it is not possible to identify you personally. Loading videos on our website forwards data to Google. In particular, Google receives information about which of our web pages you have visited. Device-specific information, including your IP address, is also transmitted. We use YouTube's "enhanced privacy mode" for this purpose. If you access a page with an embedded video, a connection to YouTube's servers is established. If you actually watch the video, the content is displayed on the website by sending a message to your browser. If you are logged into YouTube at the same time, this information will be associated with your YouTube account.

Additional information on data protection in connection with YouTube can be found in Google's privacy policy. Furthermore, information on the purpose and scope of data collection and processing by Google can be found below: https://www.google.de/intl/de/policies/privacy.

2. Legal basis for data processing

The integration is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. Your data will only be transferred if you explicitly consent to its processing. In this case, you acknowledge the risks described and simultaneously consent to your data being transferred to the USA pursuant to Art. 49 para. 1 lit. a GDPR.

3. Right to object and have the matter removed

You can prevent data processing by logging out of your member account before visiting our website. The data will be deleted when it is no longer needed for the purpose of processing. You can withdraw your consent at any time for the future.

VII. Rights of the data subject

If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

1. Right to information

You can request confirmation from the data controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you can request the following information from the data controller:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data which are processed;

(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;

(4) the planned duration of the storage of personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;

(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) all available information about the source of the data if the personal data are not collected from the data subject;

You have the right to request information as to whether your personal data is being transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

You have the right to rectification and/or completion from the data controller if the processed personal data concerning you is inaccurate or incomplete. The data controller must carry out the rectification without undue delay.

3. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data:

(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you object to the erasure of the personal data and request the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or

(4) if you have objected to the processing pursuant to Article 21(1) GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.

If the processing of your personal data has been restricted, this data – apart from being stored – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to delete

You can request that the controller erase your personal data without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2) You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) and there is no other legal basis for the processing.

(3) You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.

(4) Your personal data has been processed unlawfully.

(5) The erasure of personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

(6) The personal data concerning you were collected in relation to information society services offered pursuant to Article 8(1) GDPR.

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) GDPR, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure of all links to, or copies or replications of, that personal data.

c) Exceptions

The right to erasure does not apply insofar as the processing is necessary.

(1) to exercise the right to freedom of expression and information;

(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for the establishment, exercise or defense of legal claims.

5. Right to information

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

They have the right to be informed about these recipients by the data controller.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (f) of Article 6(1) of the GDPR.

The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

You have the option, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

8. Right to withdraw consent under data protection law

You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.

VIII. Data protection information for applicants

On our website, we also offer you the opportunity to apply for job openings and send us your application by email or post. When you send us your application, we will process the information you provide (e.g., name, surname, contact details (telephone number, email address) if you send your application by email). If you send us your application electronically, we process your email address to process the application and to contact you regarding your inquiry. For applications sent by post, we process the data you provide. The purpose of processing the personal data contained in your application documents is to identify a suitable candidate.

The legal basis for processing your email address is Article 6(1)(f) GDPR. Our legitimate interest is to offer you the opportunity to apply to us electronically at any time. The legal basis for processing the personal data resulting from your application is Article 6(1)(b), Article 88(1) GDPR, and Section 26(1) of the German Federal Data Protection Act (BDSG-neu).

Your application email and the documents you submitted will be stored until a decision has been made for or against you. If you sent us your application documents by post, we will return them to you after the application process is complete if no employment or collaboration results. If you sent your application by email, we will delete the email accordingly. Your data will be deleted no later than 6 months after the end of the application process for the position you applied for, unless we have hired you. If we base the processing of your data on our legitimate interest, you have the right to object.

Right to object

You have the right to object. You can send or notify us of your objection at any time (e.g., by email to bewerbung(at)montessori-nord.de).

Providing your personal data is neither legally nor contractually required, nor is it necessary for entering into a contract. You are also not obligated to provide your personal data. However, failure to provide it may mean that we cannot process your application.

To which recipients will your data be shared?

Your application data will only be shared with those departments or individuals within the company who require it to conduct the application process and screen applicants. Data will not be transferred to a third country.

Your rights as a data subject:

As a data subject, you have the following rights. If you wish to exercise these rights, please contact:

Montessori Nord gGmbH

Managing Director: Andreas Hagenkötter

Glockengießerstr. 9a

23552 Lübeck

Germany

▪ Right of access pursuant to Article 15 GDPR

▪ Right to rectification pursuant to Article 16 GDPR

▪ Right to erasure of your data pursuant to Article 17 GDPR

▪ Right to restriction of data processing pursuant to Art. 18 GDPR

▪ Right to data portability pursuant to Article 20 GDPR

Furthermore, pursuant to Article 21(1) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Article 6(1)(f) GDPR. In this case, the objection must be justified.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.