Data & Privacy Policy
Date: March 2023
When using my website and contacting me via website, e-mail, telephone or post, you transmit personal data to me, which I process for the purpose of processing your request and, if necessary, processing the contract. This data will only be treated by me strictly earmarked within the framework of data protection laws. In principle, I only process personal data insofar as this is necessary to provide a functioning website and to initiate and implement contractual relationships.
1. Responsible in the sense of the data protection laws
Lisa Bengs ⟡ Energy Healing + Soul Guidance
c/o Postflex #2946
Emsdettener Str. 10
48268 Greven
2. Legal bases for the processing of personal data
The respective legal basis for the processing of personal data results from Article 6 Paragraph 1 lit. a) to f) GDPR (General Data Protection Regulation).
In the case of your consent, Article 6 Paragraph 1 Letter a) GDPR is the legal basis.
Article 6 paragraph 1 letter b) GDPR is the legal basis for the processing of personal data for the fulfillment of a contract to which you are a party or for processing operations in the case of pre-contractual measures.
If processing is required to fulfill one of our legal obligations, Article 6 (1) (c) GDPR is the legal basis.
If the processing is necessary to protect a legitimate interest of mine and if your interests, fundamental freedoms or fundamental rights do not prevail, the legal basis is Art. 6 (1) lit. f) GDPR.
3. Provision of personal data required for the conclusion of a contract or due to statutory retention requirements
If you contact me, I collect personal data. This data is partly stored by me due to legal regulations, partly it is necessary for the conclusion and execution of a contract. If you wish to conclude a contract with me, you must provide me with your data so that I can provide my services to you. In addition, I am subject to statutory retention requirements for tax and commercial reasons.
In the healing operations of my practice, I collect the following personal data from clients using the legally required client declaration:
Name first Name
Date of birth
address
phone
E-mail address
Express consent: registration for the electronic newsletter (voluntary)
Client declarations filled out in the same way as well as notes on the treatment (analogue) are kept securely locked. Only the managing director has access to it.
This client data as well as data from digitally filled out patient declarations, notes and data required for administration are also stored electronically on the practice's own computer, of which there is a backup copy on a connected hard drive. Only the managing director has access to these.
In addition, client-related data on receipts and invoices only reaches the practice's tax consultancy office for a limited period of time in the course of the tax return (with invoice addresses). The tax retention obligations apply to these accounting documents.
A transfer of client data to third parties is excluded. I swear to confidentiality. However, this can be annulled in court if necessary, since there is currently no legal basis for the healers' duty of confidentiality.
An exchange of client data or about clients z. B. with doctors and naturopaths requires the written consent of the client to both therapists.
4. Data Erasure and Retention Period
I store your personal data for as long as this is necessary to fulfill the purpose or as long as storage is required by law, Art. 6 Paragraph 1 lit. c) GDPR.
If the purpose for storing personal data is no longer given, this data will be deleted after 6 months at the latest or its processing will be restricted, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
Any further storage will only take place if this is prescribed by the European or national legislator.
5. SSL or TLS encryption
For security reasons and to protect your confidential data, I use EVSSL or TLS encryption on the entire website. This encryption means that confidential data, such as inquiries or orders that you send to me, cannot be viewed by third parties.
You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and a green lock symbol appears in the address bar.
6. Automatic data processing when my website is accessed
a. IP address
Description and scope of data processing
When this page is accessed, requests are sent to the server, which the server must answer. For this purpose, your IP address must be collected and processed in order to be able to answer the corresponding server requests.
Legal basis for data processing
The legal basis for processing this data is Art. 6 (1) (f) GDPR.
Purpose of data processing
The purpose of processing your IP address is the functionality of the website and the provision of technical retrieval options.
Legitimate Interest
The legitimate interest in the temporary storage of the IP address lies in the fact that the functionality and provision of the technical access option of the website is not possible without it.
Duration of storage
The data will be deleted again as soon as further storage is no longer necessary to achieve the purpose. When collecting the data for the provision of the website, this is the case when the retrieval process has ended.
b. Hosting
Description and scope of data processing
I use the server of a hosting company for the technical implementation of the website and its accessibility. This includes the provision of storage and database services as well as their maintenance and care.
Legal basis for data processing
The legal basis for processing this data is Art. 6 (1) (f) GDPR.
Purpose of data processing
The purpose of the processing is the realization of the online offer as well as the detection of malfunctions and attempted break-ins.
Legitimate Interest
The legitimate interest is the provision of a functional website environment.
c. Server-Log-Files
Description and scope of data processing
The IP addresses collected when this page is called up are also stored in so-called server log files in order to detect technical faults and/or attempts to manipulate and break into the server structure and make them remediable. In addition, the hosting provider of this website automatically collects, stores and processes information in so-called server log files, which are automatically transmitted by your browser. This information is:
● Browser type and browser version
● operating system used
● Referrer URL
● Host name of the accessing computer
● Time of server request
However, this information is not merged with other data sources.
Legal basis for data processing
The legal basis for processing this data is Art. 6 (1) (f) GDPR.
Purpose of data processing
The purpose of processing your IP address and the above information is to detect malfunctions and intrusion attempts.
Legitimate Interest
The legitimate interest in processing the IP address and the above information is the provision of a functional website environment.
Duration of storage
The data will be deleted again within 30 days.
Recipients of Personal Data
The IP address and the above information are processed by my hosting provider on the basis of an order processing agreement in accordance with Art. 28 Paragraph 2, Paragraph 4 DSGVO.
d. Use of cookies
Description and scope of data processing
Like many other website operators, I also use "cookies" on my website, i.e. small text files that make it possible to store specific device-related information on the user's access device (PC, tablet, smartphone). On the one hand, they serve the user-friendliness of websites and thus the user, but on the other hand they also serve to statistically record data on website use and thus improve the offer. As a user, you can influence the use of cookies. Most browsers have an option to reduce or completely prevent the storage of cookies. However, we would like to point out that the use and comfort of use on our website can be restricted by excluding cookies.
Legal basis for data processing
The legal basis for processing is Art. 6 (1) (f) GDPR.
Purpose of data processing
These cookies contain technical information for the provision of website functionalities as part of the order and customer account process. This enables the technical realization of the offer and customer account process.
Legitimate interest according to Art. 6 Para. 1 lit. f) GDPR
My legitimate interest lies in providing a technical environment that maps an online application process to my customers and users. The cookies used only contain technical data and product information.
Duration of storage as well as objection and removal options
Duration of storage as well as objection and removal options
The cookies used on this site are so-called "session cookies". These cookies are automatically deleted from the browser cache/memory on your computer after you have left the website and/or closed your browser, provided you have activated this functionality in your browser.
Please check the settings of your Internet browser (e.g. Firefox, Internet Explorer, Edge, Chrome, Opera, Safari). Your Internet browser also gives you the option of controlling the handling of cookies or deactivating them entirely. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for my website, it may no longer be possible to use all the functions of the website to their full extent.
e. Third Party Cookies
Google Analytics and the Google Website Optimiser
Google Analytics and the Google Website Optimiser are services of Google, Inc. ("Google"). Google Analytics uses cookies to help analyze how this website is used. Google Website Optimiser uses the same cookies to measure how different users respond to different types of content. The data generated by these cookies (including abbreviated IP addresses) are transmitted to and stored by Google on servers in the USA. Google uses this data to evaluate the use of this website, to create reports on website activity and to provide other related services. Google only receives shortened IP addresses. The shortened address is sufficient for Google to (roughly) determine the country from which this website is accessed, but it is not sufficient to identify individuals or devices precisely in each case.
More information: here, Google's privacy policy.
Google AdWords and Google Remarketing
For this website I use the online advertising system Google AdWords and the Google Remarketing technology, both of which are operated by Google Inc. ("Google").
To record the conversion with Google AdWords, a cookie is stored for conversion tracking when a user clicks on an advertisement ("advertisements") placed by Google. Conversion tracking cookies expire after thirty (30) days and are not used for personal identification. Google uses a different cookie for each Google AdWords customer and the cookie data is not merged with other data. If you click on one of my ads and are redirected to a page with a conversion tag and the cookie has not yet expired, the conversion will be recorded. The conversion tracking cookie shows me the total number of conversions and I can check the performance of my ads. More information about Google AdWords: here.
If you click on one of my ads, a remarketing cookie will be stored by Google. This cookie helps me deliver my ads when you later browse Google content network pages. Remarketing cookies expire after thirty (30) days and are not used for personal identification. More information about Google Remarketing: here.
7. Processing of personal data via email or booking tool
Description and scope of data processing
If you send me inquiries by e-mail or booking tool, personal data will be processed depending on the content of your inquiry:
In any case, this is your e-mail address, name, date and time as well as the content of the message. In addition, depending on the content of your e-mail, the following personal data, for example, can be processed:
● First Name, Last Name
● Telephone number
● Address
● Date of Birth
The data will only be used to process the conversation and/or to carry out and/or initiate a contractual relationship. This data can only be used for advertising purposes (newsletter) with your express consent (double opt-in).
Legal basis for data processing
Due to the user's explicit request via e-mail, the legal basis for processing the data is Article 6 (1) (f) GDPR. If contact via e-mail is also aimed at concluding and/or executing a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.
Purpose of data processing
The processing of the personal data from your e-mail request serves the purpose of contacting and communicating with you, if necessary also the initiation and execution of a contract.
Legitimate Interest
The legitimate interest in data processing lies in being able to process your request.
Duration of storage
The data will be deleted within 6 months after they are no longer required to achieve the purpose for which they were collected or are no longer subject to any further statutory retention requirements (e.g. 10 years according to the AO, 6 years according to the German Commercial Code).
8. Newsletter
If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter.
We use the so-called double opt-in procedure to ensure that the newsletter is sent in a consensual manner. In the course of this, the potential recipient can be included in a mailing list. The user then receives a confirmation e-mail with the opportunity to confirm the registration in a legally secure manner. The address will only be actively included in the mailing list if the confirmation is received.
We use this data exclusively for sending the requested information and offers.
You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "Unsubscribe" link in the newsletter.
9. Social Media
Online presence in social media
I maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to be able to inform them about my services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
Unless otherwise stated in my data protection declaration, I process the data of the users if they communicate with me within the social networks and platforms, e.g. write posts on my online presence or send me messages.
Facebook of Meta Platforms Inc., 471 Emerson St, Palo Alto, CA 94301, USA, operated within the EU by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland.
Data protection information can be found at https://www.facebook.com/policy.php
Through certification according to the EU-US data protection shield ("EU-US Privacy Shield") https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active Facebook guarantees that the data protection regulations of the EU are also observed when processing Data in the USA are complied with.
Instagram Data protection information can be found at https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect
10. Sharing of Data
Your personal data will not be transmitted to third parties for purposes other than those listed below. We only pass on your personal data to third parties if:
● you have given your express consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR,
● this is necessary for the processing of the contractual relationship with you in accordance with Article 6 Paragraph 1 Sentence 1 lit.
● there is a legal obligation for disclosure according to Article 6 Paragraph 1 Clause 1 Letter c GDPR,
● disclosure is necessary in accordance with Article 6 Paragraph 1 Clause 1 Letter f GDPR to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
● the disclosure according to Article 6 Paragraph 1 Sentence 1 lit. f GDPR is in the interest of the user-friendliness of my website and the improvement of our offer and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data.
11. Your rights as a data subject
If your personal data is processed, you as the data subject have the following rights in relation to me within the meaning of the General Data Protection Regulation. To exercise your data subject rights vis-à-vis me as the person responsible, please contact the following email address: mail@lisabengs.com
Right to information - Art. 15 GDPR
You have the right to request confirmation from me as to whether personal data in question will be processed. If such processing is present, you have a right to information about this personal data and the following information:
-
the purposes for which the personal data are processed,
-
the categories of personal data being processed,
-
the recipients or categories of recipients to whom the personal data have been or will be disclosed,
-
if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining the storage duration,
-
the existence of a right to correction or deletion of personal data concerning you, a right to restriction of processing by me or a right to object to this processing,
-
the existence of a right of appeal to a supervisory authority
-
all available information about the origin of the data if the personal data is not collected from you
-
the existence of automated decision-making including profiling in accordance with Art. 22 Para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You also have the right to request information as to whether the personal data concerning you is being transmitted to a third country or to an international organization. In this context, you can also request to be informed about the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
Right to rectification - Art. 16 GDPR
You have the right to immediate correction and/or completion of the data concerning you if the processed personal data is incorrect or incomplete.
Right to erasure - Art. 17 GDPR
Obligation to delete
You have the right to request the immediate deletion of your personal data at any time if one of the following reasons applies:
-
the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed,
-
You have revoked your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal basis for the processing,
-
You have objected to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Article 21 (2) GDPR,
-
the personal data concerning you have been unlawfully processed,
-
the deletion of the personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
Exceptions to the obligation to delete
There is no right to erasure if processing is necessary
-
to exercise the right to freedom of expression and information,
-
to fulfilment compliance with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been delegated to the controller,
-
for reasons of public interest in the field of public health in accordance with Article 9 paragraph 2 letters h and i and Article 9 paragraph 3,
-
for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, insofar as the law referred to in section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or
-
to assert, exercise or defend legal claims.
Right to restriction of processing - Art. 18 GDPR
You have the right to demand the restriction of the personal data concerning you under the following conditions:
-
if you contest the accuracy of the personal data concerning you for a period that enables the person responsible to check the accuracy of the personal data;
-
if the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
-
if the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
-
if you have lodged an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of your personal data has been restricted, this data - apart from storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State are processed.
If the restriction of processing has been restricted due to the conditions mentioned, you will be informed by me before the restriction is lifted.
Right to information - Art. 19 GDPR
If you have exercised one of your rights to correction, deletion or restriction of processing, I am obliged to inform all recipients to whom your personal data has been disclosed of the correction, deletion of data or restriction of processing, unless because this proves to be impossible or involves a disproportionate effort. You also have the right to be informed about these recipients.
Right to data portability - Art. 20 GDPR
You have the right to receive the personal data that you have provided to me in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person in charge without hindrance from the person in charge to whom the personal data was provided, provided that
-
the processing is based on consent pursuant to Article 6 Paragraph 1 Letter a) GDPR or Article 9 Paragraph 2 Letter a) GDPR or on a contract pursuant to Article 6 Paragraph 1 Letter b) GDPR and
-
the processing is carried out using automated procedures.
In exercising this right to data portability, you also have the right to have your personal data transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible.
Right to object - Art. 21 GDPR
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 (1) e) or f) GDPR; this also applies to profiling based on these provisions.
I will no longer process your personal data unless I can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If personal data is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.
Right to revoke your data protection declaration of consent
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.
Right to lodge a complaint with a supervisory authority - Art. 77 GDPR
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data violates violates the General Data Protection Regulation. The Hamburg Commissioner for Data Protection and Freedom of Information of the Free and Hanseatic City of Hamburg is responsible for my place of business: https://datenschutz-hamburg.de/