Toggle menu

  • 1. Data protection at a glance

    General Information

    The following information provides a brief overview of what happens to your personal data when you visit our website. Personal data is any information by which you can be identified as an individual. Extensive information about data protection is provided within the data privacy statement specified within this text.

    mika:timing acting as Processor in accordance with article 28 of the GDPR

    The security of personal data of customers, colleagues, and our clients' customers is a significant concern for mika:timing GmbH due to the increasing frequency of the networking of information and communication systems - especially during the organisation of sports events.

    In order to ensure to our customers, colleagues, and our clients' customers that we are handling data to a consistent and high standard, we have developed data protection guidelines.

    Careful handling of this data meets the expectations of our customers and clients and is the basis for a business relationship based on trust.

    When organising sports events, the event organiser - as the client - and mika:timing GmbH as the processor are perceived as one entity by the participant. The implementation of these duties resulting from the data protection guidelines and the compliance of current data protection laws are ensured by the management and employees within the company, thereby contributing substantially to the collective success.

    The data protection guidelines for mika:timing GmbH can be found here.

    Data collection on our website

    Who is responsible for the collection of data on our website?

    The processing of data on this website occurs through the website operator. Please find their contact details in the Contact section of this website.

    How do we collect your data?

    One way your data is collected is through your disclosure. This can include data that you have entered into a contact form, for example.

    Other data is automatically collected by our IT system when you visit the website. This mostly includes technical data (e.g. internet browser, operating system, and time of page view). This data is collected automatically when you access our website.

    What do we use your data for?

    Part of the data is collected in order to ensure error-free provision of the website. Other data can be used for the analysis of your user behaviour.

    What are your rights regarding your data?

    You have the right to receive free disclosure concerning how your data was saved, who it is sent to, and for what purpose. You also have the right to demand the correction, blocking, or deletion of this data. If you have any other questions regarding data protection, please contact us at any time at the address included in our contact section. Furthermore, you have the right to appeal to the competent supervisory authority.

    Analytical and third-party tools

    Your browsing behaviour can be statistically analysed when you visit our website. This occurs in particular with cookies and analysis programmes. As a rule, the analysis of your browsing behaviour is done anonymously; browsing behaviours cannot be tracked back to you. You may object to this analysis or prevent it by not using certain tools. Please find detailed information regarding this in the following data privacy statement.

    You may object to this analysis. We will inform you in this data privacy statement about the options to object.

    2. General and Required Information

    Data protection

    The site operators take the protection of your personal data very seriously. We treat your personal data confidentially and in line with data protection laws as well as this data privacy statement.

    When you use this website, different types of personal data will be collected. Personal data is data with which you can be identified as an individual. This data privacy statement explains what data we collect and for what we use it. It also explains how and to what purpose this happens.

    We would like to point out that data transmission over the Internet (e.g. e-mail communication) may have security gaps. A complete protection against access to the data by third parties is not possible.

    Information on the Responsible Body

    The body responsible for the handling of data on this website is:

    mika:timing GmbH
    Authorised managing directors: Harald Mika, Jörg Mika
    Strundepark – Kürtener Straße 11b
    51465 Bergisch Gladbach

    Telephone: +49 2202 2401-0
    E-Mail: info(at)mikatiming.de

    The responsible body is the natural or judicial person who decides on their own or together with others the purposes and means of the handling of personal data (e.g. names, e-mail addresses or similar).

    Withdrawal of your consent to data processing

    Many data processing operations can only take place with your express consent. You may withdraw previously given consent at any time. To do this, simply send us an informal e-mail. The legality of the data processing remains unaffected up until the withdrawal of consent.

    Right of appeal to the competent supervisory authority

    In the event of breaches in the data protection law, the person concerned has the right to appeal to the competent supervisory authority. The responsible supervisory authority for data protection issues is the data protection officer of the federal state in which our company is based. A list of data protection officers as well as their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

    Right to data portability

    You have the right to request that data which we have automatically processed on the basis of your consent or in fulfilment of a contract, be sent to you or to a third party in a common, machine-readable format. Requested direct transfers of data to another responsible person can only occur in as far as it is technically feasible.

    SSL/ TSL encryptions

    This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognise an encrypted connection by the change in the address bar of your browser from "http://" to "https://" and by the lock symbol in your browser line.

    When the SSL/ TSL encryption is activated, the data that you send to us cannot be read by third parties.

    Encrypted payment transactions on this website

    If there is an obligation to send us your payment details (such as your account number for direct debit authorisations) following the conclusion of a chargeable contract, these data will be needed for the handling of payments.

    Payment transactions via the usual payment methods (Visa/ MasterCard/ direct debit) are carried out exclusively using an encrypted SSL/ TLS connection. You can recognise an encrypted connection by the change in the address bar of your browser from "http://" to "https://" and by the lock symbol in your browser line.

    During encrypted communications, the payment information that you send to us cannot be read by third parties.

    Disclosure, blocking, deletion

    In line with the effective legal requirements, you have the right to the free disclosure of your saved personal data, its origin and recipients, and the purpose of data handling and, if applicable, the right to the correction, blocking, or deletion of this data. You can contact us about this, or for any other questions regarding personal data at the address stated in our about section.

    Objection against promotional e-mails

    We herewith object to the use of contact information provided within the scope of the obligation to publish an imprint for the purpose of sending unsolicited advertising and information material. The site operators expressly reserve the right to take legal action in the event of unsolicited advertising information, such as spam e-mails.

    3. Data protection officer

    Lawfully designated data protection officer

    We have appointed an external data protection officer for our company. You can contact Ms. Rose Müller at the e-mail address: datenschutz(at)mikatiming.de

    4. Data collection on our website

    Use of cookies

    Some of these web pages use cookies. Cookies do not any damage to your computer and do not contain any viruses. We use cookies to make our product more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser.

    Most of the cookies we use are "session cookies". These are automatically deleted at the end of your visit. Other cookies are saved onto your device until you delete them. These cookies enable us to recognise your browser on your next visit.

    You can change the settings on your browser to activate notifications about cookies being installed and to allow cookies on an individual basis, exclude the acceptance of cookies under certain conditions, or to eliminate them in general, as well as to activate the automatic deletion of cookies after closing your browser. Deactivating cookies may restrict the functionality of this website.

    Cookies that are required for the processing of electronic communication procedures or for the provision of certain features as requested by you (e.g. shopping cart features) are stored according to Article 6 Paragraph 1 (f) of the GDPR. The site operator has a legitimate interest in storing cookies for the technically accurate and optimised provision of its services. As far as other cookies stored (e.g. cookies for the analysis of your browsing behaviour), these are treated separately in this data privacy statement.

    Our event and partner companies are not authorised to collect, process, or use personal data through our website using cookies.

    Server log files

    The site operator automatically collects and saves information in server log files that your browser automatically transmits to us. These are:

    • IP address of the requesting computer

    • Date and time of the request

    • Accessed site/name of the retrieved files

    • Transmitted data volume

    • Notification of whether the access/retrieval was successful

    • Internet address from which the page/ file was retrieved or the desired feature was initiated.

    • Web browser used

    These data are not combined with other data sources.

    The basis of data processing is Article 6, Paragraph 1 (b) of the GDPR, which allows the processing of data in order to complete a contract or pre-contractual negotiations.

    Contact form

    If you send us an inquiry using the contact form, your details will be saved from the form, including your contact details, for the purpose of processing the inquiry and in case of follow-up questions. We will not share this data without your consent.

    The data entered in the contact form is therefore processed exclusively on the basis of your consent (Article 6 Paragraph 1 (a) of the GDPR). You may withdraw this consent at any time. To do this, simply send us an informal e-mail. The legitimacy of data processing processes up until your withdrawal remains unaffected by the withdrawal.

    The data you have provided within the contact form will remain with us until you request its deletion, withdraw your consent to save the data, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - especially retention periods - remain unaffected.

    Processing of data (customer and contract data)

    We collect, process, and use personal data only to the extent necessary for the creation, content design, or change of the legal relationships (inventory data). This is done on the basis of Article 6 Paragraph 1 (b) of the GDPR which allows the processing of data for the fulfilment of a contract or pre-contractual negotiations. We will only collect, process, and use personal data about the use of our website (usage data) only to the extent necessary to enable or invoice the user for the use of the service.

    The collected customer data is deleted upon execution of the order or following the termination of the business relationship. Legitimate retention periods remain unaffected.

    Data transfer upon conclusion of contracts for online shops, dealers, and dispatch of goods

    We only transmit personal data to third parties if it is necessary within the context of processing the contract, such as in the delivery of goods by entrusted companies or the processing of payments through authorised financial institutions. No further data will be transferred or only if you have expressly consented to the transfer. Your data will not be forwarded to third parties without your express consent, for example for advertising purposes.

    The basis of data processing is Article 6, Paragraph 1 (b) of the GDPR, which allows the processing of data in order to complete a contract or pre-contractual negotiations.

    Data transfer following conclusion of contract for services and digital content

    We will only transmit your personal data to third parties if this is necessary within the context of processing the contract, such as the processing of payments through authorised financial institutions.

    No further data will be transferred or only if you have expressly consented to the transfer. Your data will not be forwarded to third parties without your express consent, for example for advertising purposes.

    The basis of data processing is Article 6, Paragraph 1 (b) of the GDPR, which allows the processing of data in order to complete a contract or pre-contractual negotiations.

    6. Analytical Tools and Advertising

    Google Analytics

    This website uses features of the web analysis service Google Analytics. The provider is Google Inc. 1600 Ampitheater Parkway Mountain View, CA 94043, USA. Google Analytics uses "cookies". These are text files that are stored on your computer and that enable an analysis of your use of the website. The information that is generated by the cookie about your usage of this website is normally sent to one of Google's servers in the USA and stored there.

    Google Analytics cookies are stored on the basis of Article 6, Paragraph 1 (f) of the GDPR. The website operator has a legitimate interest in the analysis of user behaviours, to optimise both its web content and its advertisements.

    IP anonymization

    We have activated the IP anonymization feature on this website. As a result, your IP address is shortened by Google within Member States of the European Union or in other countries party to the Agreement on the European Economic Area, prior to being transferred to the USA. Only in exceptional cases will the full IP address be sent to one of Google's servers in the USA without being shortened. On behalf of the operator of this website, Google will use this information to evaluate the usage of the website, to compile reports on the website activity, and to deliver other services related to the website and internet usage to the website operator. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

    Browser Plugin

    You may refuse the use of cookies by selecting the appropriate settings on your browser. We do however advise that you may not be able to use various features on this website fully if you do. Moreover, you can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address), as well as the processing of this data by Google, by downloading and installing the browser plugin available on the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

    Opposition to data collection

    You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie will be set, which prevents the collection of your data on future visits to this website: Disable Google Analytics.

    More information on how Google Analytics handles user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

    Contract data processing

    We have entered into a contract with Google regarding contract data processing and fully implemented the strict requirements set out by the German data protection authorities when using Google Analytics.

    Demographic features on Google Analytics

    Matomo (formerly Piwik)

    This website uses the open source web analysis service Matomo. Matomo uses "Cookies". These are text files that are stored on your computer and that enable an analysis of your use of the website. For this purpose, the information generated by the cookies about the use of this website is stored on our server. The IP address is anonymised prior to being saved.

    Matomo cookies remain on your device until you delete them.

    Matomo cookies are stored on the basis of Article 6 Paragraph 1 (f) of the GDPR. The website operator has a legitimate interest in the anonymised analysis of user behaviours, to optimise both its web content and its advertisements.

    The information that is generated by the cookie about the use of this website will not be transferred on to third parties. You may refuse the use of cookies by selecting the appropriate settings on your browser. We do however advise that you may not be able to use various features on this website fully if you do.

    If you do not agree to the storage and use of your data, you can deactivate the storage and use here. In this case, an opt-out cookie will be stored in your browser, preventing Matomo from saving usage data. If you delete your cookies, the Matomo opt-out cookie will be deleted as well. The opt-out needs to be reactivated the next time you visit our site.

    [Hier Matomo iframe-Code einfügen] (Click for instructions)

    6. Newsletter

    Newsletter data

    If you would like to receive the newsletter offered on the website, we require your e-mail address as well as information which will allow us to verify that you are the owner of the specified e-mail address and that you agree to receive the newsletter. Further data will not be collected or will only be collected on a voluntary basis. We only use this information exclusively for sending the requested information and do not disclose them to third parties.

    The data entered in the newsletter registration form will be processed exclusively on the basis of your consent (Article 6 Paragraph 1 (a) of the GDPR). You can withdraw your consent to the storage of data, the e-mail address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The legitimacy of the data processing processes already carried out remains unaffected by the withdrawal.

    The data you provide us for the purpose of subscribing to the newsletter is saved by us until you unsubscribe from the newsletter, and is deleted after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member's area) remain unaffected by this.

    BACKCLICK

    This website uses BACKCLICK for the distribution of newsletters. The provider is BACKCLICK GmbH, Brabandtstrasse 8, 38100 Braunschweig

    BACKCLICK is a service for organising and analysing the distribution of newsletters, among other things. The information you enter to subscribe to the newsletter will be stored on Newsletter2Go servers in Germany.

    If you do not wish to have BACKCLICK analyse your data, you must unsubscribe from the newsletter. For this purpose, we provide an appropriate link in every newsletter message. Additionally, you can also unsubscribe directly through our website.

    Data analysis by BACKCLICK

    We are able to analyse our newsletter campaigns with the help of Newsletter2Go. For example, we can see if a newsletter has been opened and which links, if any, have been clicked on. In this way we can determine which links have been clicked on most frequently, amongst other things.

    We can also identify if certain predefined actions have been carried out after opening/clicking on the link (conversion rate). We can identify, for example, if you have made a purchase after clicking on the newsletter.

    BACKCLICK also makes it possible for us to classify newsletter recipients according to different categories ("cluster"). As such, newsletter recipients can be categorised according to age, gender or place of residence. In this way newsletters can be better adapted to each respective target group.

    Detailed information on the features of Newsletter2Go can be found on the following link: https://www.backclick.de/.

    Legal basis

    The data will be processed on the basis of your consent (Article 6 Paragraph 1 (a) of the GDPR). You may withdraw this consent at any time. The legitimacy of the data processing processes already carried out remains unaffected by the withdrawal.

    Storage duration

    The data you provide us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the servers of Newsletter2Go after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member's area) remain unaffected by this.

    Further details can be found in BACKCLICK's data protection statement at: https://www.backclick.de/datenschutz/

    Conclusion of a contract for order data processing

    We have entered into an agreement with BACKCLICK in which we commit BACKCLICK to protect our customers' data and not to share it with third parties. 

    Privacy policy and security concept for the protection of personal rights in dealing with personal data

     


    Preface

    The protection of the personal data of customers, employees and the principal’s customers has become a major concern of mika:timing GmbH owing to the growing interconnection of information and communications systems, especially in the execution of sporting events. A major goal of this policy is therefore to offer our customers, employees and also our principal’s customers a consistent and high standard when handling personal data. Our customers and principals expect us to handle these data carefully, and this is the basis for a trusting business relationship.
    When executing sporting events, the event organizer – as principal – and mika:timing GmbH are perceived as a single unit from the participants’ perspective. Management and employees within the company ensure that the following obligations that arise from the data privacy policy are put into practice and that national data protection legislation is complied with, which forms a significant contribution to our joint success.
    Scope of policy and modifications
    This data privacy policy applies to mika:timing GmbH and its employees. It applies to the handling all personal data relating to natural persons, in particular data of customers and customers of the principal as well as prospects, suppliers and employees.
    This policy may only be modified by the data protection officers in collaboration with the management of mika:timing GmbH.

    Applicable legislation

    This data privacy policy contains globally accepted data protection principles without substituting any existing national law. It applies in all cases unless it contradicts relevant national law; furthermore, national law is to be applied where it imposes additional requirements.
    The relevant national law must be observed when there are compelling deviations from, or when it goes beyond, this data privacy policy. The content of this data privacy policy must also be observed when there is no corresponding national law.
    Moreover, this data privacy policy is subject to the law of the Federal Republic of Germany.

    Aims of data protection

    The basis of mika:timing GmbH’s activity is provided by the data of customers and customers of principals on whose behalf mika:timing processes data. These data must be protected against the risk of unauthorised access. However, besides technical protection, customers and principals also generally expect their data to be handled carefully. Lasting business relationships cannot be realised without a trusting relationship to customers and principals. mika:timing has recognised this challenge and acknowledges its responsibility in handling the data with which it is entrusted. With this policy, mika:timing is defining for its own use a data privacy and data protection standard for processing the personal data of customers and principals.
    The policy enhances the competitiveness of mika:timing GmbH and provides the basis for a lasting and trusting business relationship.
    Based on this, mika:timing GmbH has defined the following data privacy objectives:

    1. We handle the data of our customers and employees fairly and with the utmost respect.
    2. We select the methods for protecting the data entrusted to us with great care taking into account the technical and organisational possibilities and we implement them systematically.
    3. We create trust among persons concerned through our transparency and by keeping them well informed.

    Principles of data processing

    The principles of processing personal data are independent of whether the data concerns customers and employees or whether data processing is being performed on behalf of organisers of sporting events. It is also irrelevant as to whether data processing is performed in mika:timing GmbH’s premises or on site in the principal’s premises during a sporting event.

    1. Fairness and legality
    The personal rights of persons concerned must be respected when person-related data are being processed. Data must be processed in a fair and legal manner.

    2. Purpose
    Personal data may only be processed for purposes specified prior to the capture of the data. Subsequent changes to the purposes are only allowed in limited cases. These may occur through contractual agreement with the persons concerned, following the consent of the persons concerned or on the basis of national legislation.

    3. Transparency
    Persons concerned must be informed in a suitable manner about how their data are handled. As a general principle, personal data must be collected from the persons concerned. When data are collected, the persons concerned must be able to recognise, or be appropriately informed about, the following:

    • the identity of the party responsible
    • the purpose of data processing
      The information should reveal what data are being stored and or processed/used, why and for what purpose.
    • third parties, or types of third party, to whom data may be passed on

    This information must be provided to the persons concerned when data are captured for the first time and subsequently whenever necessary. Persons concerned must be notified about the voluntary nature of supplying data for the purpose of marketing.

    4. Data economy
    A check must be made before personal data are processed to see whether and to what degree this is necessary in order to achieve the intended purpose of processing. Anonymised and statistical data must be used if this allows the purpose to be achieved and the effort involved is reasonably proportionate to the intended purpose. This policy does not cover statistical analyses or surveys that are performed on anonymised data.
    Personal data may not be stored for potential future purposes unless this is prescribed by national legislation.
    Data that are no longer required are to be deleted in compliance with existing retention requirements.

    5. Factual accuracy, data currency
    Stored personal data must be correct and up-to-date. Appropriate measures must be taken to ensure that inaccurate or incomplete data are deleted, corrected or supplemented.

    6. Data requiring special protection
    Personal data requiring special protection may only be processed subject to specific conditions.
    Processing must be explicitly permitted or prescribed by national legislation, or processing is necessary in order to assert, exercise or defend legal claims against persons concerned. Persons concerned may also give their explicit consent to processing.
    Where necessary, the data protection officer must be duly notified in writing before the capture, processing or use of such data begins. In particular, account should be taken of the type, extent, purpose, necessity and legal basis for the use of the data.

    7. Need-to-know principle
    With work being organised in increasingly flexible ways , special care must be taken to ensure that employees are only given access to personal data in accordance with the need-to-know principle. The need-to-know principle means that employees may only be given access to the type and quantity of data needed for their relevant tasks. This requires the careful division and separation of roles and responsibilities together with their implementation.

    Disclosure and transmission

    Some business processes require customers’ personal data, or as part of order data processing, to be passed on to third parties. If this does not occur as a result of a legal obligation, a check should be made as to whether the persons concerned have a legitimate interest that precludes this.
    The recipient must be contractually obliged to only use the data for the specified purposes.
    Data may be transmitted to state institutions or the authorities where this is required by relevant legislation.
    In the event that third parties transfer data to mika:timing, steps must be taken to ensure that the data were captured in accordance with applicable legislation and are permitted to be used for the intended methods of processing.
    Appropriate technical and organisational measures based on generally acknowledged standards must be taken to ensure the integrity and security of the data during their transmission to third parties.

    Sub-contracted data processing

    With subcontracted data processing, a service provider is commissioned to perform data processing without being given responsibility for the relevant business process. In the event that personal data are disclosed as part of sub-contracted data processing, the commissioning party retains responsibility for processing.
    Any rights of the persons concerned are to be asserted against the commissioning party. Furthermore, the following requirements must be met when the commission is awarded:

    1. When the sub-contractor is selected, care must be taken to ensure that the sub-contractor can guarantee the technical and organisational requirements and security measures required for processing.
    2. The performance of sub-contracted data processing must be regulated in a written contract where requirements relating to data protection and information security are agreed. It must specify in particular that the sub-contractor may only process data exclusively in accordance with the instructions of the commissioning party.
    3. The contract must be drafted in accordance with this data privacy policy. When executing sporting events, mika:timing assumes the role of a sub-contractor processing the data on behalf of the organiser. Responsibility for processing personal data remains with the event organiser (responsible party).

    Rights of persons concerned

    All persons concerned may exercise the following rights. The responsible party must process any claims for their assertion immediately.

    1. Persons concerned can demand information about the personal data stored that relates to them together with the origin and purpose.
    2. If personal data are disclosed to third parties, information must also be given on the identity of the recipient or on the type of recipient.
    3. If personal data are incorrect or incomplete, persons concerned may demand that they be corrected or amended.
    4. Persons concerned are entitled to demand the deletion of their data if the legal basis for processing the data is lacking or is no longer present. The same applies in cases where the purpose of data processing has ceased to exist through the lapse of time or for other reasons. Existing obligations to retain data must be observed.
    5. Persons concerned may veto the processing of their personal data for the purpose of direct marketing or for market or public opinion research. The data must be blocked for these purposes.
    6. Persons concerned have a specific right of veto to their data being processed which must be observed if their legitimate interest takes precedence over the interest of the responsible party owing to a special personal situation. This does not apply if a legal provision requires data processing.

    If mika:timing performs data processing on behalf of the principal, the latter – the event organiser – will bear responsibility for handling the rights of parties concerned. The commission given to mika:timing will regulate how mika:timing is to support the event organiser in handling the rights of parties concerned.

    Data privacy organisation and data security/ Data protection officer

    According to §4f BDSG, mika:timing is obligated to appoint an independent data protection officer whose task it is to ensure that management and employees are instructed in the legal and/or company-internal provisions and the principles of data protection. mika:timing has appointed Mrs. Rose Müller as external data protection officer.
    The data protection officer must be involved in the development of new products and services at an early stage in order to ensure that they are aligned with the principles specified in this policy.
    Employees are to receive adequate training at regular intervals from the data protection officer on how to handle personal data.
    In the event of data privacy violations and of complaints, employees are obliged to inform the data protection officer immediately. Moreover, all persons concerned can contact the data protection officer with suggestions, queries, requests for information or complaints with regard to questions of data privacy and data security. Queries and complaints will be treated confidentially by request. Decisions made by the data protection officer in order to remedy any data privacy violation must be respected by the management.

    Confidentiality of processing
    Personal data of customers and of the customers of the principal are treated confidentially; it is forbidden for employees to capture, process or use such data in any unauthorised manner. Employees are prohibited from any processing that falls outside the tasks that have been entrusted to them and for which they do not have the appropriate authorisation.
    In particular, it is forbidden for employees to use personal data for their own or for commercial purposes, to disclose them to unauthorised parties and to make them accessible to the latter in any other way..

    Technical and organisational measures
    Appropriate non-disclosure agreements must be concluded in writing with employees when they start work for mika:timing. Furthermore, adequate technical and organisational measures must be taken for business processes and IT systems when handling personal data. mika:timing will also ensure that these legal requirements are effectively implemented vis-à-vis any principals when performing data processing on their behalf. The technical and organisational measures are part of an integrated information security management framework and are adjusted on a continuous basis to take account of technical developments and organisational changes.
    According to the appendix to section 9 clause 1 of the Federal Data Protection Act (BDSG) these measures include:

    1. Denying unauthorised persons access to data processing systems intended for processing or using personal data (physical access control)
    2. Preventing data processing systems from being used by unauthorised persons (data access control)
    3. Ensuring that the persons authorised to use a data processing system only have access to the data they are authorised to use and that personal data cannot be read, copied, modified or deleted during processing, use and storage by unauthorised persons (data usage control)
    4. Ensuring that personal data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission or during transport or storage on data media and that it is possible to verify and determine at what points it is intended to transmit personal data by data transfer equipment (transfer controls)
    5. Ensuring that it is subsequently possible to verify and determine whether personal data has been entered, modified or deleted in data processing systems and by whom (input control)
    6. Ensuring that personal data that are being processed on behalf of a principal can only be processed in accordance with the principal’s instructions (assignment control)
    7. Ensuring that personal data are protected against random deletion or loss (availability control)
    8. Ensuring that data captured for different purposes are processed separately (separation rule)


    Responsibilities
    As the persons responsible for data processing, the management of mika:timing GmbH are obliged to ensure that all legal data protection requirements and requirements formulated in the data privacy policy are observed. It is a management duty to ensure by means of organisational, staff-related and technical measures that data are processed in a due manner in accordance with data protection principles. The data protection officer checks at regular intervals to ensure that the data privacy policy and applicable data protection legislation are complied with.

     

    Terminology and definitions

    • Data are said to be anonymised when a reference to a particular person can no longer be established by anyone or when the reference to the person could only be established again using a disproportionate amount of time, expense and effort.
    • Data requiring special protection are those data relating to racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, health or sexual orientation of persons concerned. Further categories of data may be classified as requiring special protection or the content of the data categories may be defined differently based on national legislation. Similarly, data relating to criminal offences may often only be processed under special conditions established in national legislation.
    • Persons concerned as referred to in this privacy policy include all natural persons whose data are processed.
    • Third parties are all those outside the persons concerned and the party responsible for data processing. Sub-contractors, who are in legal terms assigned to the responsible party, are not third parties either.
    • Consent is a voluntary, legally binding declaration of agreement to data processing.
    • It is necessary to process personal data if the authorised purpose or legitimate interest cannot be achieved without the relevant personal data, or can only be achieved with disproportionate effort.
    • Personal data include all information relating to a specific or identifiable natural person. A person is identifiable e.g. when the reference to the person can be established through a combination of information with only coincidentally available additional knowledge.
    • Transmission or disclosure is any notification of protected data by the responsible party to third parties.
    • Data processors are natural persons or legal entities, authorities, institutions or any other party that process personal data on behalf of the party responsible for data processing (sub-contracted data processing).
    • Processing of personal data is any procedure executed with or without automated methods for capturing, storing, organising, archiving, modifying, querying, using, disclosing, transmitting, distributing or combining and comparing data. It also includes the disposal, deletion and blocking of data and data media.
    • Responsible party is the legally independent business whose business activity is the cause of the processing.

    Security Concept

    Preface
    This document describes the key elements of data protection management at mika:timing GmbH.

    Data protection management system
    Data protection management is based on the requirements of the Federal Data Protection Act (Bundesdatenschutzgesetz, hereinafter referred to as BDSG) in its currently valid version, additional regulations and guidelines pertaining to data protection and existing case law. The current state of technology and recognised expert opinions and knowledge gained from years of dealing with critical and sensitive data are also important in shaping data protection management at mika:timing.

    Data confidentiality and information
    As part of the appointment process, all internal and external employees enter into a written undertaking to maintain data confidentiality pursuant to Section 5 BDSG. The undertaking continues to remain valid after termination of their activity.
    On 1st January 2012, mika:timing appointed Ms Rose Müller as external data protection official. The basic knowledge of data protection pursuant to Section 4g No. 2 BDSG is initially conveyed in written form through the provision of corresponding information material. Employees sign to confirm that they have received the information brochure and that they undertake to familiarise themselves with its contents. The basic knowledge is consolidated during employee training courses organised by the data protection official and is expanded to include aspects specific to individual jobs. These training courses are held regularly, at least every two years, with the first course having taken place in October 2013.

    Principles relating to collaboration with customers

    Data processing sub-contractor

    mika:timing is a data processing sub-contractor and generally acts on the basis of Section 11 BDSG. In this context, it takes the appropriate technical and organisational measures, in order to comply with the control requirements of Section 9 BDSG and the annex to Section 9 first sentence BDSG. A data protection concept for mika:timing was drawn up in consultation with the data protection official. The guidelines on various issues listed therein (including but not limited to guidelines on IT security, passwords and access) are drawn up and/or adapted and established on a binding basis within the Company. They are subject to a regular annual review and are adapted where necessary.Contractual provisions relating to sub-contracted data processing exist with customers and suppliers in accordance with the respective applicable statutory regulations.In general, testing and production systems are physically separated.

    Control rights

    In consultation with mika:timing, a customer may form his own impression concerning compliance with data protection requirements; this must be done during normal office hours and in the presence of a competent staff member.

    Handling of bank and credit card data

    Where it receives a corresponding mandate from the customer, mika:timing shall collect the participant fees which are owed in advance of the event and shall collect them from the athlete's account by direct debit or, if the athlete so wishes, via the athlete's credit card. To enable this, the athlete's bank details/credit card details shall be requested during the online registration procedure. To ensure the data are properly processed, mika:timing GmbH's systems regularly undergo a PCI ASV security scan. mika:timing also uses an ID/IP system to protect the infrastructure. The customer (event organizer) shall have no access to bank details during this process. mika:timing shall transfer the collected fees en bloc to the customer in accordance with the agreement concluded with it. In the event of misuse, mika:timing shall assume exclusive liability, not the customer.