Privacy policy of CSD Leipzig e.V.

3.1 Membership data

We process the following personal data of members of the association and of persons who apply for membership:

• first name(s) and surname or name of the legal entity
• address
• date of birth
• e-mail address
• bank details
• date of joining the association
• type of membership
• signature (e.g. for paper applications)
• for legal entities:
  • first name(s) and surname of contact person
  • function of the contact person
• for minors:
  • first names and names of the legal representatives

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.

The data is processed exclusively for the administration of membership (e.g. member data administration, collection of membership fees, member information, etc.) and stored for the entire duration of membership in the association. In the event of termination of membership (see association statutes), the data will be deleted within 6 weeks unless there is a special reason for longer storage. Special reasons may be, for example

• outstanding membership fee invoices
• the request for a donation receipt to be issued

Once the special reason no longer applies, the data will be deleted immediately.

Business documents are excluded from the deletion period of this privacy policy. These are, for example, invoices for membership fees. They are subject to the retention obligations under tax law.

3.1.1 Association management software

The web-based association management software “EasyVerein” is used to manage the association. The software is operated by

SD Software-Design GmbH
Basler Landstraße 8
79111 Freiburg im Breisgau

As part of the contract with the operator, the above-mentioned data is passed on to the operator as part of the use of the EasyVerein software. We have concluded an data processing agreement (DPA) for the use of this service. This is a contract prescribed by data protection law, which ensures that personal data is only processed in accordance with our instructions and in compliance with the GDPR. You have already been informed of this with the membership application.

You will be informed again of your rights as a data subject: https://easyverein.com/static/documents/Rechte_der_Betroffenen.pdf 

3.1.2 Digital membership cards

The web-based software “Passcreator” is used to provide digital membership cards. The software is operated by

Fobi AI Germany GmbH
Walter-Gropius-Str. 15
80807 München

As part of the contract with the operator, the following data is passed on to the operator as part of the use of the Passcreator software.

• first name(s) and surname
• membership status
• membership number
• e-mail address

We have concluded a data processing agreement (DPA) for the use of this service. This is a contract prescribed by data protection law, which guarantees that it processes personal data only in accordance with our instructions and in compliance with the GDPR.

Further information can be found in the privacy policy of Fobi AI Germany GmbH (see “Datenschutzinformationen für Endnutzer”): https://www.passcreator.com/de/datenschutzerklaerung

3.1.3 Bank and SEPA direct debit

To collect your membership fee via SEPA direct debit, the following data will be forwarded to Leipziger Volksbank eG, where we hold an account:

• First name(s) and surname or name of the legal entity or first name(s) and surname of the account holder (if different)
• Bank details

Further information can be found in the privacy policy of Leipziger Volksbank eG: https://www.leipziger-volksbank.de/service/Datenschutzhinweis.html

3.1.4. Tax consultancy firm

We use the services of a tax consultancy firm (IQ Steuerberatungsgesellschaft mbH, Springerstraße 9, 04105 Leipzig) to prepare our annual tax return. The tax consultant is given access to all business documents and therefore also to the membership invoices, which contain the following personal data:

• first name(s) and surname or name of the legal entity
• address
• date of joining the association, if applicable
• type of membership

In addition, the tax consultancy company can view our accounting transactions and account documents if required and can also find out a member’s bank details.

Further information can be found in the privacy policy of IQ Steuerberatungsgesellschaft mbH: https://iq-steuer.de/datenschutz/

3.1.5 Server and IT Support

We use the Nextcloud application, a cloud software that allows us to operate our own cloud server under our own data sovereignty.
IT support for the server is provided by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. For the purpose of IT support, IONOS SE is granted access to the Nextcloud server as required.
Further information can be found in IONOS SE’s privacy policy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/

The above-mentioned personal data may be stored on the server in part or in full (e.g. in the form of correspondence with the member stored there).

3.1.6 Association board – Public registers / Authorities / Legal notice

There are legal obligations to report personal data of the members of the Board (full name, address, date of birth, signature, copy of ID card) in whole or in part to authorities for keeping public registers (e.g. register of associations and transparency register) or for applying for funding or other official notifications. There is also an obligation to state the full names of the Executive Board in the legal notice of the association’s website.

The legal basis for these activities are Art. 6 para. 1 sentence 1 lit. c) and f) GDPR.

3.2 Volunteers

3.2.1 General

CSD Leipzig e.V. works with volunteers. Depending on the type of volunteer work, the following personal data is processed for the purpose of cooperation:

• first name(s) and surname
• date of birth
• age
• address
• signature
• bank details
• photos
• telephone number
• e-mail address

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a) GDPR. Your consent is required for processing.

The data will be processed exclusively for the collaboration within the scope of the volunteer assignment. The data will be deleted within 6 weeks if consent is withdrawn or after the volunteer assignment has ended. With the consent of the respective person, the data can be stored for up to 3 years for future volunteer assignments or enquiries about volunteer assignments.

The data is stored on the Nextcloud server described under 3.1.5. Please read the explanations above.

Volunteers with a management function (team leaders) are named on the association’s website (csd-leipzig.de) with their first names as contact persons with their consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

3.2.2 Prideball

The organiser of the Pride closing party (Prideball) offers free guest list places for some voluntary activities (e.g. for demo stewards). The party is organised by

Eventagentur emotion works
Mirko Stock & Matthias Krähenbiel GbR
Schwägrichenstraße 13
04107 Leipzig

The following data may be passed on to the operator for the purpose of providing the guest list place:

• first name(s) and name
• age (over 18 years)

3.2.3 Stargayte Sauna

The owner of the Stargayte Sauna, Otto-Schill-Str. 10 in 04109 Leipzig, offers discounted admission for some voluntary activities (e.g. for demo stewards).

The following data may be passed on to the holder for the purpose of granting the benefit:

• first name(s) and name

3.2.4 Volunteer pass (“EhrenamtsPass”)

For extensive voluntary activities, it is possible to order the so-called “Leipziger EhrenamtsPass” from the Freiwilligen-Agentur Leipzig e.V., Dorotheenplatz 2 in 04109 Leipzig. The order is made in consultation with the respective volunteer by the CSD Leipzig e.V. For this purpose, the following data is passed on to the Freiwilligen-Agentur Leipzig e.V.:

• first name(s) and name
• date of birth
• details of the honorary post
• start/acceptance of the honorary position
• task/activity
• scope of time
• remuneration, if applicable

Further information can be found in the data protection regulations of Freiwilligen-Agentur Leipzig e.V.: https://freiwilligen-agentur-leipzig.de/wp-content/uploads/2023/11/EAP2024_Datenschutzbestimmungen.pdf

3.3 Regular information via e-mail distribution list

CSD Leipzig e.V. informs regularly via e-mail distribution list about the dates and topics of the upcoming Pride plenaries, invites to them and shares other relevant information. The following personal data is processed for this purpose

• e-mail address

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. a) GDPR. Your consent is required for processing.

The mailing is sent via an e-mail distribution list with our e-mail provider IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that the provider only processes personal data in accordance with our instructions and in compliance with the GDPR.

The data you provide us with for the purpose of receiving the newsletter will be stored by us or IONOS SE until you unsubscribe from the newsletter and deleted from the distribution list after you unsubscribe. Data stored by us for other purposes remains unaffected by this.
If you do not want your data to be processed for this purpose and transferred to IONOS SE, you must unsubscribe from the e-mail distribution list. You can revoke your consent to receive the mailing list emails at any time by unsubscribing from the mailing list. The legality of the data processing operations that have already taken place remains unaffected by the cancellation.

3.4 Communication via WhatsApp

For internal communication, we use the instant messaging service WhatsApp, among others. The provider is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Communication takes place via end-to-end encryption (peer-to-peer), which prevents WhatsApp or other third parties from gaining access to the communication content. However, WhatsApp receives access to metadata that is created in the course of the communication process (e.g. sender, recipient and time). We would also like to point out that WhatsApp states that it shares the personal data of its users with its parent company Meta, which is based in the USA. Further details on data processing can be found in WhatsApp’s privacy policy at https://www.whatsapp.com/legal/#privacy-policy.

WhatsApp is used on the basis of our legitimate interest in communicating with volunteers as quickly and effectively as possible (Art. 6 para. 1 lit. f GDPR). If a corresponding consent has been requested, the data processing takes place exclusively on the basis of the consent; this can be revoked at any time with effect for the future.

The communication content exchanged between you and us on WhatsApp will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after termination of the voluntary service). Mandatory statutory provisions – in particular retention periods – remain unaffected.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. You can find more information on this under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt00000011sfnAAA&status=Active

CSD Leipzig e.V. has neither precise knowledge of nor influence on the data processing by WhatsApp Ireland Limited.

3.5 Payments via PayPal

We use a payment service of the payment service provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) to receive donations and for cashless payments. If you donate to us via PayPal or make a purchase from us via PayPal, your payment data (e.g. name, payment amount, account details, credit card number) will be processed by the payment service provider for the purpose of payment processing. The respective contractual and data protection provisions of the respective providers apply to these transactions. The payment service providers are used on the basis of Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR). Insofar as your consent is requested for certain actions, Art. 6 para. 1 lit. a GDPR is the legal basis for data processing; consent can be revoked at any time for the future.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.

Details can be found in PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

3.6 Business contacts / contractual partners

We work together with contractual partners in various ways (e.g. artists, service providers, etc.). As part of these transactions, personal data is processed by the contractual partners. These can be, for example

• first name(s) and surname or name of the legal entity
• address
• e-mail address
• telephone number
• bank details
• signatures (e.g. for contracts)
• for legal entities:
  • first name(s) and surname of contact person
  • function of the contact person
  • telephone number
  • Tax number / VAT ID
  • photo and video recordings (e.g. from live streams)

Normally, these are business contacts and business documents to which the separate statutory retention periods apply.

3.7 Online-based Audio and Video Conferences (Conference tools)

3.7.1 Data processing

We use online conference tools, among other things, for communication with our members, volunteers and partners. The tools we use are listed in detail below. If you communicate with us by video or audio conference using the Internet, your personal data will be collected and processed by the provider of the respective conference tool and by us. The conferencing tools collect all information that you provide/access to use the tools (email address and/or your phone number). Furthermore, the conference tools process the duration of the conference, start and end (time) of participation in the conference, number of participants and other “context information” related to the communication process (metadata).

Furthermore, the provider of the tool processes all the technical data required for the processing of the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

Should content be exchanged, uploaded, or otherwise made available within the tool, it is also stored on the servers of the tool provider. Such content includes, but is not limited to, cloud recordings, chat/ instant messages, voicemail uploaded photos and videos, files, whiteboards, and other information shared while using the service.

Please note that we do not have complete influence on the data processing procedures of the tools used. Our possibilities are largely determined by the corporate policy of the respective provider. Further information on data processing by the conference tools can be found in the data protection declarations of the tools used, and which we have listed below this text.

3.7.2 Purpose and legal bases

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our members and volunteers (Art. 6(1)(b) GDPR). Furthermore, the use of the tools serves to generally simplify and accelerate communication with us or our association (legitimate interest in the meaning of Art. 6(1)(f) GDPR). Insofar as consent has been requested, the tools in question will be used on the basis of this consent; the consent may be revoked at any time with effect from that date.

3.7.3 Duration of storage

Data collected directly by us via the video and conference tools will be deleted from our systems immediately after you request us to delete it, revoke your consent to storage, or the reason for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence on the duration of storage of your data that is stored by the operators of the conference tools for their own purposes. For details, please directly contact the operators of the conference tools.

3.7.4 Conference tools used

We employ the following conference tools:

Microsoft Teams

We use Microsoft Teams. The provider is the Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.