Data Privacy Policy of AV-TEST GmbH

We, AV-TEST GmbH (hereinafter also referred to as “AV-TEST” or “Controller”), take the protection of personal data very seriously and adhere to the pertinent data protection law provisions, in particular the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Below, we should like to inform the users of our av-test.org and iot.tests.org websites, in particular, of what data we collect when in the context of using our website, and how we use it.

1. General remarks

1.1 Extent of data processing

It is, principally, only to the extent necessary for the provision of a functioning website and of our contents and services that we collect and use personal data of our users. The collection and use of the personal data of our users takes place only where the processing of data is permitted by statutory provisions or after consent has been granted by the user.

1.2 Legal bases for the processing of data

Where the consent of the user for processes in relation to the processing of personal data is obtained by us on our website, Art. 6 (1) lit. a GDPR serves as a legal basis for the processing of personal data.

Art. 6 (1) lit. b. GDPR serves as a legal basis for the processing of personal data required for the performance of a contract of which the user is a contractual party. This applies also to processing processes necessary for the performance of a quasi contract obligation or for precontractual measures.

If and when the processing of personal data is required for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as a legal basis.

Where processing is necessary for the protection of a legitimate interest of our company or a third party and the first-mentioned interest is not overridden by the interests, basic rights and the fundamental freedoms of the user concerned, Art. 6 (1) lit. f GDPR serves as a legal basis for processing of the data (so-called weighing of interests).

Apart from that, there are other statutory provisions for the processing of personal data, which – to the extent pertinent - are concretely specified by us below.

1.3 Duration of storage

The users’ personal data will be deleted or blocked as soon as the purpose of storage has ceased to exist. Apart from that, storage may be made where this has been provided for by the European or national legislator in regulations, laws or other provisions of the European Union to which our company is subject.

Blocking or deletion of the data will also take place when a period for storing of the data prescribed by the above-mentioned norms has expired, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

1.4 The passing on of personal data

If we pass on personal data, we do so exclusively to service providers supporting us with fulfilling the above-mentioned purposes. These companies, as so-called data processing companies, are not allowed to use your personal data except for fulfilling their tasks on our behalf and they are obligated to adhere to the pertinent data protection rules. The data processing companies which may be employed by us are explicitly mentioned by us below.

Apart from that, there is no passing on of personal data to third parties.

1.5 Place where the data is processed

Processing of your personal data stored takes place in countries of the European Economic Area, exclusively.

2. Processing of personal data on the website

2.1 Provision of the website and creation of logfiles

2.1.1 Description of the data processing operation

Whenever our website is called up, our system automatically collects data and information from the system of the computer calling up the website.

At this, the following data are collected and stored in the logfiles our our system:

  • The website requested from our server
  • Information on the type of browser and version used
  • The user’s operating system
  • The user’s internet service provider
  • Date and time of the access
  • Websites from which the user’s system accesses our website (so-called “referrer”)
  • The amount of data transferred (in bytes)

There is no registration of the user’s complete IP address in our logfiles; thus, it is not possible to track down a specific user.

There is no storing of these data together with other personal data of the user.

2.1.2 Legal basis for the processing of data

Art. 6 (1) lit. f GDPR is the legal basis for the temporary storage of data and logfiles.

2.1.3 Purpose of the processing of data

The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The storage in logfiles is done to ensure the functionality of the website. In addition, the data help us to optimize the website and to ensure the security of our information technology systems. An evaluation of data for marketing purposes does not take place in this context. Also, there is no registration of the user’s complete IP address in our logfiles.

These are the purposes wherein our legitimate interest in the processing of data in accordance with Art. 6 (1) lit f GDPR lies.

2.1.4 Duration of storage

The data will be deleted as soon as it is no longer required for achieving the purpose for which it was collected. Where the data has been collected for the purpose of provision of the website, this is the case when the respective session has ended. Apart from that, the logfiles are deleted when they are no longer required for evaluating the “Webalizer” tool (comp. no. 2.4). Storage beyond this point is possible, e.g. where there is a suspicion of cases of fraudulent use, for adherence to statutory requirements etc.

2.1.5 Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in logfiles is absolutely necessary for operation of the website. Consequently, there is no possibility of objection on the part of the user.

2.2 Contact form and e-mail contact

2.2.1 Description of the data processing operation

There is a contact form on our website which can be used for making contact electronically. Where a user makes use of this possibility, the data entered in the form are transmitted to us and stored. These data are:

  • Name
  • E-mail address
  • Your message
  • Captcha

Alternatively, contact may be made via the e-mail address made available by us. In this case, the user’s personal data transmitted together with the e-mail will be stored.

No passing on of data to third parties takes place in this context. The data is used for processing the conversation, exclusively.

2.2.2 Legal basis for processing of the data

The legal basis for processing of the data is Art. 6 (1) lit. f GDPR. Where the e-mail contact is aimed at the conclusion of a contract or a quasi contract obligation, Art. 6 (1) lit. b GDPR is an additional legal basis for the processing.

2.2.3 Purpose of the processing of data

The processing of personal data from the input form serves us to process the communication, exclusively. This is also where the required legitimate interest in the processing of data lies in the event of contact.

2.2.4 Duration of storage

The data will be deleted as soon as it is no longer required for achieving the purpose for which it was collected. As regards personal data from the input mask of the contact form and those transmitted by e-mail, this is the case when the respective conversation with the user has been terminated, unless deletion is prevented by statutory or contractual storage periods. The conversation has been terminated when it can be inferred from the circumstances that the respective facts have been clarified conclusively.

2.2.5 Possibility of objection and removal

Where users contact us by contact form or e-mail, they may object to the storage of their data, at any time. The objection may be made by notifying the contact information at the end of our Data Privacy Statement. In the event of objection, the conversation with the user cannot be continued and all the personal data stored within the course of making the contact will be deleted by us.

2.3 E-mail newsletter

2.3.1 Description of the data processing operation

Where you have registered on our website to receive an e-mail newsletter, the contact information requested in the input form (in this case only the e-mail address) is transmitted to us. If subscription to the e-mail newsletter is made by you via the registration button, we will first send you an e-mail. In order to prevent misuse, dispatch of the e-mail newsletter will be released after our e-mail has been confirmed by you, only.

As regards dispatching of the e-mail newsletter, we have commissioned the service provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26810 Rastede, Germany. This company, as a so-called data processing company, is not allowed to use your personal data other than for fulfilling the tasks on our behalf and is obligated to adhere to the pertinent data protection provisions. Apart from that, there is no passing on of data to third parties within the context of data processing for the dispatch of e-mail newsletters. The data is used for dispatching the newsletter, exclusively.

2.3.2 Legal basis for processing of the data

The legal basis for processing of the data upon subscription to the e-mail newsletter by the user is Art. 6 (1) lit. a GDPR, where the user has granted his/her consent.

2.3.3 Purpose of the processing of data

The user’s e-mail address is collected for the purpose of delivering the e-mail newsletter.

2.3.4 Duration of storage

The user’s e-mail address is stored only as long as his/her subscription to the e-mail newsletter is active.

2.3.5 Possibility of objection and removal

The user may, at any time, withdraw his/her consent to receiving the e-mail newsletter. The withdrawal may be made via a link in the newsletter itself, either via this link directly or by notification to the contact information at the end of our data privacy statement.

2.4 Webalizer

2.4.1 Description of the data processing operation

On our website, we use the “Webalizer” tool for purposes of analyzing the user behavior. Analysis of the user behavior is important as, by this way, it is possible to analyze the demand for contents and thus to optimize the online offer. The user data collected will not be used to create user profiles.

It is only statistical data, like e.g. the website contents visited most frequently, the browsers used most frequently, the countries from which most of the retrievals originate, which is collected via the “Webalizer” tool.

In the version used by us, the “Webalizer” tool works with the anonymization of IP addresses. Thereby, the IP addresses are shortened by the last three digits before they are used to analyze the user behavior. Thus it is no longer possible to relate them to a specific person and you as the user remain anonymous to us.

The anonymized data sets are stored on our web server and then evaluated internally for statistical purposes, exclusively. The data are at no time disclosed to third parties. The “Webalizer” tool does not use cookies.

2.4.2 Legal basis for processing of the data

Art. 6 (1) lit. f GDPR is the legal basis for processing of the data in the described manner using the “Webalizer” tool.

2.4.3 Purpose of the processing of data

Through the “Webalizer” tool we get to know how the website is used so that we are able to continually optimize our online offer. This is also where our legitimate interest in processing of the personal data pursuant to Art. 6 (1) lit. f GDPR lies.

2.4.4 Duration of storage

The statistical information stored will be deleted by us after three years at the latest.

2.4.5 Possibility of objection and removal

The user may object to storing of this information by notification to the contact information at the end of our data privacy statement.

3. Use of cookies

3.1 Description of the data processing operation

We use “cookies” to make visiting our website more attractive and to enable the use of certain functions. Cookies are small text files stored in the browser or from the browser to the user’s terminal. When a website is called up by a user, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string which allows the browser to be identified unambiguously when the website is called up again.

3.1.1 Technically necessary cookies

We use cookies to make our website more user-friendly. Some elements of our website require that the browser accessing it can be identified even after a page change. The following data is stored in the cookies and transmitted:

  • Use of the comments function on the iot-tests.org website

3.1.2 Technically unnecessary cookies

Apart from that, we do not use any technically unnecessary cookies on our website and also no third party cookies.

3.1.3 Information on a change of the browser settings

Most browsers are set in a way that they automatically accept cookies. The user may, however, prevent the storing of cookies on his/her computer by adjusting the browser settings accordingly. This may, however, restrict the function scope of our website.

3.2 Legal basis for the processing of data

The legal basis for the processing of personal data using cookies is Art. 6 (1) lit. f GDPR.

3.3 Purpose of the processing of data

The purpose of the use of technically necessary cookies is to make it easier for the user to use the website. Some of the functions of our website cannot be offered without using cookies. For these functions it is necessary that the browser can be recognized again after a page change.

The user data collected on our website using cookies are not used for the creation of user profiles.

The above-mentioned purposes are also the ones wherein our legitimate interest in the processing of data in accordance with Art. 6 (1) lit f GDPR lies.

3.4 Duration of storage, possibility of objection and removal

Cookies are stored on the user’s computer and transmitted from there to our website. Thus, you as the user have full control of the use of cookies. By changing the settings of your internet browser you may deactivate or restrict the transmission of cookies. Cookies which have already been stored can be deleted any time. This can also be done automatically. The full use of all the functions of our website may no longer be possible where cookies have been deactivated for the website.

4. Reference to social networks

4.1 Social media

Our internet presence under av-test.org and iot-tests.org is supplemented by official presences of AV-TEST in the following social networks:

  • Facebook – Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
  • Google+ – Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Twitter – Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA
  • YouTube – Google Inc., 901 Cherry Avenue, San Bruno, CA 94066, USA

Visitors of our website have the possibility to get to these presences via references (links). Within the context of our internet presence, the links are marked by the Facebook, Google+, Twitter or YouTube logo. Social plugins of the above-mentioned networks are not used.

When following the links to the social networks, please be aware that the respective social network is responsible for the processing and use of personal data and that AV-TEST has or gets no knowledge whatsoever of the actual extent and contents of the data transmitted and its use by the respective provider.

It must be assumed that, at least, the IP address and device-related information are collected and used. It is also possible that cookies are used by the social networks. For information on the extent of processing of your personal data by the providers of the social networks and the possibilities of adjusting settings in order to protect your privacy, please see the data protection guidelines of the respective provider.

4.2 Integration of YouTube videos

We use YouTube as a provider for the integration of videos on our website. YouTube is a service of Google Inc., domiciled at 901 Cherry Avenue, San Bruno, CA 94066, USA. We use integrated YouTube videos in the so-called extended data protection mode, i.e. YouTube does not store information on users of our website, unless the video is watched by the users.

By clicking the YouTube video further data processing processes may be triggered (e.g. the storing of cookies by YouTube) which AV-TEST has no influence on). For further information on the purpose and extent of the collection and use of date by YouTube and on your rights and the possibilities of adjusting settings for protection as a YouTube customer, please see the data privacy statement of YouTube (https://www.youtube.com/t/privacy).

5. Rights of data subjects

Where personal data from you are processed you are a data subject in the meaning of the GDPR and have the following rights towards the controller:

5.1 Right to information

You may request from the controller a confirmation on whether personal data concerning you are processed by us.

Where such processing takes place you may request from the controller information on the following issues:

  • the purposes personal data are processed for;
  • the categories of personal data processed;
  • the recipients or categories of recipients towards which the data concerning you have been disclosed or will be disclosed;
  • the intended period of storage of the personal data concerning you or, if it is not possible to provide exact information on that issue, the criteria used to determine the period of storage;
  • the existence of a right to rectification or deletion of the personal data concerning you, a right of restriction of processing by the controller or a right of objection against this processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • any and all available information on the source of the data, where personal data have not been obtained from the data subject;
  • the existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and – at least in such cases – meaningful information on the logic involved and the significance and the intended consequences of such processing for the data subject.

You are entitled to request information on whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you may request to be informed about the appropriate safeguards in connection with the transfer in accordance with Art. 46 GDPR.

5.2 Right to rectification

You have a right to rectification and/or supplementation towards the controller, where the processed personal data concerning you are incorrect or incomplete. The controller shall perform the rectification, immediately.

5.3 Right to restriction of processing

You are entitled to request the restriction of processing of the personal data concerning you where the following conditions are fulfilled:

  • where you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the deletion of the personal data and, instead, request restriction of the use of the personal data;
  • the controller no longer needs the personal data for the purposes of processing, while you require it for the assertion, exercise or defense of legal claims, or
  • where you have objected to the processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your reasons.

Where processing of the personal data concerning you has been restricted such data shall – with the exception of storage – only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where processing has been restricted in accordance with the above-mentioned requirements, you will be informed by the controller before the restriction of processing is lifted.

5.4 Right to deletion

5.4.1 Obligation to delete

You may request from the controller that the personal data concerning you are deleted, immediately, and the controller is obligated to immediately delete such data where one of the following reasons applies:

  • The personal data concerning you is no longer needed for the purposes for which it was collected or processed otherwise.
  • You withdraw your consent on which the processing was based pursuant to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR, and no other legal ground for processing exists.
  • You object to the processing pursuant to Art. 21 (1) GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data concerning you have been processed unlawfully.
  • Deletion of the personal data concerning you is required for compliance with a legal obligation under the Union law or the law of the Member States the controller is subject to.
  • The personal data concerning you have been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.

5.4.2 Information to third parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 (1) GDPR to delete it, the controller, taking account of available technology and the cost of implementation, shall take reasonable measures, including technical ones, to inform controllers processing the personal data that you as the data subject have requested from them the deletion of any and all links to such personal data or of copies or replications of such personal data.

5.4.3 Exceptions from the obligation of deletion

There is no right to deletion where processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation requiring processing under the Union law or the law of the Member States to which the controller is subject or for the performance of a task which is in the public interest, or in the exercise of official authority bestowed on the controller;
  • for reasons of public interest in the area of public health pursuant to Art. 9 (2) lit. h and i, as well as Art. 9 (3) GDPR;
  • for archiving purposes, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 (1) GDPR, in so far as the right referred to under paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the assertion, exercise or defense of legal claims.

5.5 Right to notification

Where you have asserted the right to rectification, deletion or the restriction of processing towards the controller, the controller shall be obligated to communicate such rectification or deletion of data or restriction of processing to the recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have a right towards the controller to be informed of such recipients.

5.6 Right to data portability

You have the right to receive the personal data concerning you, which you have made available to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been made available, where:

  • the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR, and
  • processing is carried out using automated techniques.

In exercising this right you also have the right to obtain the transmission of the personal data concerning you from one controller to another directly, where technically feasible. Freedoms and rights of other persons must not be affected thereby.

The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority bestowed on the controller.

5.7 Right to object

You have the right to object, at any time, on grounds resulting from your particular situation, to the processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR; this applies also to profiling based on such provisions.

The controller shall no longer process the personal data concerning you, unless the controller is able to demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the purpose of asserting, exercising, or defending legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this includes profiling to the extent it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services you may – notwithstanding Directive 2002/58/EC - exercise your right to object by means of automated techniques using technical specifications.

5.8 Right to revoke the declaration of consent under data protection law

You have the right to revoke at any time your declaration of consent under data protection law. Revoking the consent does not affect the legitimacy of the processing based on the consent performed until the revocation.

5.9 Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling -, which produces legal effects concerning you or similarly significantly affecting you. This shall not apply where the decision

  • is necessary for concluding or fulfilling a contract between you and the controller,
  • is permissible due to legal provisions of the Union or the Member States to which the controller is subject, and where such legal provisions also contain suitable measures to safeguard your legitimate interests, or
  • is made with your explicit consent.

However, such decisions shall not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g applies and suitable measures to protect the rights and freedoms and your legitimate interests have been taken.

As regards the cases referred to in the above points (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and your legitimate interests, including, at least, the right to obtain intervention by one person on the part of the controller, to express his/her point of view and to contest the decision.

5.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, your place of work or place of the alleged infringement if you are of the opinion that processing of the personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

6. Links to other websites

Our website may contain links referring to the pages of third parties. We have no influence on the contents and design of the pages of external providers. Insofar, this data protection statement does not apply there.

7. Alteration of this Data Privacy Statement

The continuous development of the internet and the related frequent amendments to the applicable legal norms require our Data Privacy Statement to be adjusted from time to time. We will keep you informed here about any corresponding alterations.

8. Controller

Controller in the meaning of the GDPR and other national data protection laws of the EU Member States, as well as other data protection law provisions is:

AV-TEST GmbH
Klewitzstr. 7
39112 Magdeburg
Germany

Telephone: +49 391 6075460
Telefax: +49 391 6075469

E-mail: info(at)av-test(dot)de

Webseite: www.av-test.org

For the full imprint see: https://www.av-test.org/en/contact/legal-notice/

9. Contact details of the data protection officer

The contact details of the controller’s data protection officer are:

Erik Heyland

E-mail: datenschutz(at)av-test(dot)de

Magdeburg, May 2018

Subscribe to the AV-TEST Newsletter

Well-informed
on security

More ›