We would like to welcome you to the website of Stiftung Mercator (hereinafter referred to as ‘we’) and thank you for your interest. The protection of your personal data when you are using this website is very important to us. In our data privacy statement, we would like to inform you about when we collect which data and how we use it.
Data Privacy Statement of Stiftung Mercator (last updated on 1 May 2020)
Regardless of whether you are a project partner, a partner company, an applicant or a visitor to our website, we take the protection of your personal data very seriously. But what does this mean in concrete terms?
In the following, we give you an insight into the personal data we collect from you and the ways in which we process it. You will furthermore gain an overview of your rights according to the applicable data protection laws. We will also tell you who you can contact if you have any further questions.
Who are we?
As the responsible organization pursuant to Article 4 (7) of the EU General Data Protection Regulation (GDPR), we,
address for correspondence:
Postfach 10 33 26
Tel. +49 201 245 22-0
Fax +49 201 245 22-44
take all measures required under applicable data protection law to ensure the protection of your personal data.
If you have any questions on data processing in our company or how to exercise your rights, you can also contact our data protection officer free of charge:
Data Protection Officer
2B Advice GmbH
Joseph Schumpeter Allee 25
Tel: +49 228 926 165 120
2 Scope of application of the data privacy statement
Legislators define the processing of personal data as activities such as the collection, recording, organization, filing, storage, adaptation or alteration, readout, retrieval, use, disclosure (by transmission, dissemination or some other form of provision), collation or linking, restriction, deletion or destruction of personal data.
3 What personal data do we process?
Personal data are only collected on this website to the extent that is technically necessary. Personal data are all data that can be related to you personally, e.g. name, address, email addresses, user behaviour. We have taken extensive technical and operational precautions to protect your data from accidental or deliberate manipulation, loss, destruction or access by unauthorized persons. Our security procedures are regularly reviewed and adapted to technological progress.
Under no circumstances will we sell your personal data to third parties!
3.1 Sensitive data
Sensitive data, i.e. special categories of personal data such as information on health, political opinions, religious or trade-union affiliation, are not collected in this way.
3.2 Personal data of minors
Our activities are generally not aimed at minors. Should it come to our attention that the personal data of minors have been processed without the consent of their parents or guardians, these data will be deleted immediately.
Our website uses a social plug-in of the social network ‘facebook.com’, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’). The plug-in can be recognized by the Facebook logo (white ‘f’ next to the text ‘Like’).
Some pages on our website include third-party content, such as videos from YouTube. This always presupposes that the providers of this content (hereinafter referred to as ‘third-party providers’) know the user’s IP address because, without the IP address, they could not send the content to the respective user’s browser. The IP address is therefore needed in order to display this content. We make every effort to use only content whose respective providers use the IP address only to deliver the content. However, we have no influence over whether the third-party providers store the IP address, e,g, for statistical purposes. Should we become aware of this, we will immediately inform the users.
Our website also uses plug-ins of the microblogging service ‘twitter.com’, which is operated by Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (‘Twitter’). The plug-ins are marked with a Twitter logo.
Matomo (formerly Piwik)
By using this website, you agree to Matomo processing the data collected about you in the manner and for the purpose described above.
4. Why do we process your personal data – and on what legal basis?
4.1 To implement the application procedure
We process the data you send us in your application to check whether your professional qualifications are suitable for the advertised position. We use your information only for the application procedure and transfer it to your personnel file when a contract is concluded. Should no agreement be reached, your information will be deleted or destroyed. We will not use your application documents for any other purpose than for the application process.
4.2 Legitimate interest in data processing
We have a legitimate interest in detecting and preventing abuses of our service; similarly, we have a legitimate interest in improving our service and adapting it to your requirements.
We also use your personal data in the following cases, among others:
- We analyse your data to protect you from fraudulent activities. This can happen, for example, if you have been the victim of identity theft, or if unauthorized persons have gained access to your user account in some other way;
- To be able to guarantee IT security;
- To be able to record and prove facts in the event of any legal disputes.
You have the opportunity to register on our website for newsletters on various topics.
We only need your email address to send you our newsletters, all other information is voluntary.
Your data will be processed for this purpose on the basis of your consent given pursuant to Article 6 (1) letter a of the GDPR. Legislators set certain requirements for the validity of consent given electronically, as used for registration for the newsletter. This also includes logging your declaration of consent. We therefore record the date and time of your consent, the text of the declaration of consent, whether the check box was selected, your email address and all other voluntary information given. We also log the date and time of the click on the confirmation link and the link in the confirmation email. This means that you will receive our newsletter only after successful completion of a double-opt-in procedure! We collect this information with the sole purpose of complying with the legal obligations.
You have the right to revoke your consent at any time. However, withdrawal of consent shall not affect the lawfulness of the processing carried out up to the date of revocation.
Email newsletters can be revoked via the link printed in the newsletter and – where appropriate – in the administration settings of the respective online service. Alternatively, please contact us via:
To send our newsletters, we use the Inxmail Professional system from Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg. In some cases they are sent out by our service provider u+i interact GmbH & Co. KG, Karl-Eilers-Str. 13, 33602 Bielefeld. Order data-processing contracts have been concluded with both companies pursuant to Article 28 of the GDPR. Your data will not be used for any other purposes.
4.4 Based on your consent
If you have consented to your personal data being processed for one or more specific purpose, we are permitted to process your data. With regard to the future, you can revoke this consent at any time without incurring any costs other than the transmission costs according to the basic rates (costs of your internet connection). However, withdrawal of consent shall not affect the lawfulness of the processing carried out up to the date of revocation.
4.5 Based on legal requirements or in the public interest
As a company, we are subject to a wide variety of legal requirements (e.g. laid down by tax legislation). We process your personal data to the extent necessary to comply with our legal obligations.
5 Where we transfer data to and why
5.1 Use of data within Stiftung Mercator
Within Stiftung Mercator, access to your personal data is only granted to those units that need to have access in order to fulfil our contractual or legal obligations or to protect our legitimate interests.
5.2 Use of data outside Stiftung Mercator
We respect the protection of your personal data and only pass on information about you if required by law, if you have given your consent, or to fulfil contractual obligations. For example, we may be subject to a legal obligation to pass on your personal data to the following recipients:
- public bodies or supervisory authorities, e.g. tax authorities, customs authorities,
- judicial and law enforcement authorities, e.g. police, courts, public prosecutors,
- lawyers or notaries, e.g. in legal disputes,
- chartered accountants.
To enable us to fulfil our contractual obligations, we cooperate with other companies. These include:
- banks and financial services companies for handling all financial matters.
Own service companies
In order be able to run our business efficiently, we use the services of external service providers that may receive personal data from you to fulfil the purposes described above, including IT service providers and providers of printing and telecommunications services. We select these service providers very carefully and monitor them regularly, particularly their careful handling and safeguarding of the data stored by them. We oblige all service providers to maintain confidentiality and to comply with the legal requirements.
In the case of service companies based outside the European Economic Area (EEA), we take specific security measures (e.g. by using special contractual clauses) to ensure that the data are treated with the same level of care as in the EEA. We regularly check all our service companies for compliance with our specifications.
6 Deletion deadlines
In accordance with the applicable data protection regulations, we do not store your personal data for longer than we need them for the respective processing purposes. If the data are no longer required to fulfil contractual or legal obligations, they are regularly deleted by us unless their temporary storage is still necessary. The following reasons can justify continued storage:
- Retention obligations under commercial or tax law must be observed: the time periods prescribed for retention, primarily according to the regulations of the German Commercial Code and the German Fiscal Code, are up to 10 years.
- To obtain evidence in the event of legal disputes within the framework of the legal statute of limitations: limitation periods can be up to 30 years in civil law, whereby the regular limitation period ends after three years.
7 Your rights
You have certain rights relating to the processing of your personal data. More detailed information can be found in the corresponding provisions in the EU’s General Data Protection Regulation (Chapter III, Articles 15 to 21 of the GDPR).
7.1 Right of access and rectification
You have the right to receive information from us about which of your personal data we process. If this information is not (or no longer) correct, you can demand that we correct the data and, if the information is incomplete, you can demand that it be supplemented. If we have passed on your data to third parties, we will inform the respective third parties in the corresponding legal situation.
7.2 Right of deletion
Under the following circumstances, you can demand the immediate deletion of your personal data:
- if your personal data are no longer needed for the purposes for which they were collected;
- if you have revoked your consent and there is no other legal basis for data processing;
- if you object to processing and there are no overriding legitimate reasons for data processing;
- if your data are being processed unlawfully;
- if your personal data have to be deleted to comply with legal obligations.
Please note that before deleting your data, we must check to make sure that there is no legitimate reason to process your personal data.
7.3 Right to restrict processing (‘right to block’)
You can demand that we restrict the processing of your personal data for one of the following reasons:
- if you dispute the accuracy of the data, until we have had an opportunity to satisfy ourselves as to the accuracy of the data;
- if the data are being processed unlawfully, but instead of deletion of the data you only request that the use of the personal data be restricted;
- if, although we no longer need the personal data for processing purposes, you still need them to assert, exercise or defend legal claims;
- if you have lodged an objection to processing and it is not yet clear whether your legitimate interests outweigh ours.
7.4 Right of objection
7.4.1 Right of objection in individual cases
If the processing is being carried out in the public interest or on the basis of a legitimate interest in data processing, you have the right to object to processing for reasons arising from your particular situation. If you lodge an objection, we will not continue processing your personal data unless we can prove compelling, legitimate reasons for processing your data which outweigh your interests, rights and freedoms, or because your personal data serve to assert, exercise or defend legal claims. The objection does not preclude the lawfulness of processing carried out prior to the objection.
The objection is not subject to any condition as to form and should be addressed to @
7.5 Right to data transferability
On request, you have the right to receive, in a transferable and machine-readable format, personal data that you have given us for processing.
7.6 Right of complaint to the supervisory authority (Article 77 of the GDPR)
We always try to process your inquiries and claims as quickly as possible to protect your rights accordingly. However, depending on the frequency of inquiries, it may take up to 30 days before we can give you any further information about your request. Should it take longer, we will inform you promptly of the reasons for the delay and discuss the further procedure with you.
In some cases we are either not allowed or not able to give you any information. Whenever legally permissible, we will inform you of the reason for refusing to provide information.
If you are nevertheless not satisfied with our answers and reactions, or if you believe that we are violating applicable data protection laws, you are free to lodge a complaint both with our data protection officer and with the relevant supervisory authority. The regulatory agency responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia)
Postfach 20 04 44