☂ Data Protection Declaration
This is an informal translation of the Datenschutzerklärung for this website. Some examples related to the situation in Germany have been left out. While I tried my best to give comprehensive and understandable information, my mother tongue is German and my English is limited. If something is hard to understand or ambiguous, please let me know.
What is it about?
All natural persons basically have the sole right to decide about collection, storing and processing data related to them if those data allow to identify them as natural persons. This fundamental right to informational self-determination is primarily regulated by the European Union's General Data Protection Regulation (GDPR). In addition various national privacy protection regulations exist as well as data protection agreements e.g in the health sector. The GDPR requires to inform humans comprehensively and understandably, if data are processed which contain information about them (person-related data).
Data protection is the practical implementation of the right to informational self-determination, a basic right of natural persons, that is living persons and in some cases also deceased persons.
Juristic persons (companies, associations etc.) do not have a personality right. Their internal information (business secrets etc.) is protected by other laws but not by data protection regulations.
Legal bases for processing of person related data can be laws, legitimate interest or informed consent. Legitimate interest for example ist processing of person-related data that is necessary to fulfill a process explicitly wanted by a natural person such as storing a delivery address in online sales. Informed consent means the explicit consent of natural persons to process their person-related data. The data subjects must be informed comprehensively and understandably about the processing and possible consequences.
In Brief
Visiting a website is always linked to data processing which also may include person-related data. Therefore visitors of a website must be informed how person-related data are handled. This is the purpose of the data protection declaration.
Any processing of person-related data requires a legal basis.
In all cases processing of person-related data is bound to the authorized purpose, so processing for other purposes requires a separate legal basis.
At bomhard.de data are processed solely for the purpose of content provisioning, securing the server by strictly time-limited storing of communication data and in aggregated form for statistical evaluation by the maintainer. No data are disclosed to third parties, not even in anonymized or aggregated form, except in case of legally binding request.
Legal basis mainly is legitimate interest since content provisioning requires processing of communication data, which in some cases may be person relatable. In addition by using the website consent is given to the processing of in some circumstances person relatable data for the purpose and to the extent as declared in this privacy statement.
When are data person-related?
That's the big question of data protection. Clearly person related is my address data in the imprint, because practically everybody can identity me with this information as a natural person. Therefore this information may be used only for purposes authorized by the legal imprint obligation or those I freely consent to. Therefore it must not be stored and processed for other purposes - not even privately - without legal basis.
It is getting more complex with person-relatable data. These are data which by themselves are not person-related, but could be suitable to identify natural persons depending on who gets access to them and which possibilities and ambitions this data receiver has. A common example is the IP-address (network address) of the calling computer or router, which is inevitably transmitted when visiting a website. While I can see that IP it will not give me much information at least on private users, except that I might know to which internet provider with thousands or millions of customers it belongs.
Accordingly this IP address is when processed at bomhard.de usually not person relatable and not subject to data protection. An internet provider however knows for his customers which natural person is using that IP at which time so it is person-related there and subject to privacy protection.
Usually (private) customers get a new IP from their internet-providers every 24 hours so there is not even an observable persistent relation between IP and user data. However IP addresses may be static as well, meaning they do not change, and therefore can be associated with an institution or possibly even with a natural person.
Which data are processed at bomhard.de and where?
By viewing this (and any) website you actively transmit your IP address or that of the corresponding gateway (router). If you are a private person this IP normally is factually anonymous when processed at bomhard.de. However your IP might be a static personal or institutional IP-address and therefore permit person-relation. Additionally the URL you requested is transmitted and in most cases also which browser (user-agent) you are using and from which website you are coming (referrer)¹.
At bomhard.de those connection data are stored together with date and time of the access for about 2-4 weeks in server log files, then deleted - except in case of abuse, where they might be disclosed to authorities for investigation and prosecution.
Besides passively processing data transmitted by the user when visiting a website there are various active techniques to collect information on visitors actively (cookies, tracking-pixels, canvas-fingerprinting etc.) No such techniques are used. There are also no links to external libraries, media or services which might enable third party service providers to collect information. In brief user tracking is limited to the unavoidable amount as good as possible.
If you send mail to contact bomhard.de your email-address, connection data and all content of your email are stored both on the mail server at bomhard.de (no third party) and on email-programs used on our PCs, smartphones or other user devices. In case of a contact related to the imprint obligation data storage time depends on the applying legal regulations and necessities. In case of private contact (questions and comments on content) mails will be stored or deleted following my private interest.
bomhard.de is hosted on a dedicated virtual server at Netcup, Germany. The server is running Debian GNU/Linux with strong AES256 LUKS/dmcrypt system encryption and entirely set up and maintained by myself. All data is stored there with backup on my personal system encrypted Debian computers. No third party has any access to the data stored and processed on the server or on my personal computers.
How are those data used?
The connection data are continuously statistically evaluated for personal information using GoAccess. Domains are stored and archived as is. The evaluated statistical data are kept as documents for unlimited time, but the corresponding log file is not stored longer than one year.
No data will be disclosed to third parties except for fulfillment of legal obligation. Data will never be used for advertising, profiling, contacting you or anything similar.
Your rights
The GDPR grants data subjects comprehensive rights of information and withdrawal of consent to processing of data which are subject to their informational self-determination. Especially you have - if no law is contradicting and possible with reasonable effort, the rights to:
- Information if and which person-related data concerning you are stored and processed.
- Correction of false person-related data concerning you .
- Erasure of person-related data concerning you.
- Withdrawal of your consent to storing and processing person-related data concerning you.
If that all makes sense for small websites like this which only collects the technically unavoidable data which most likely are not even person-relatable is more than questionable:
To exercise your rights you had to submit much more person-related data than I might have and could report, correct or erase. You can contact me by email (see imprint) and send me your name, address and either domain name or IP-address together with an approval that you are really you and the domain/ip is really yours. Only then I can and surely will check if something related is stored and correct or erase it. Of course I would have to store and archive your request as well ...
¹ You can easily manipulate transmitted user agent and referrer which at bomhard.de has no big consequences. At most layout optimization for mobile devices might suffer. Yo can also obfuscate the transmission of your IP using anonymization services such as ➚ Tor (but this will not protect you against professional surveillance). My technical capabilities do not allow unveiling Tor.