In both cases, "business-critical” cookies and tracking technologies are used regardless of consent. These include analysis tools and services for measuring reach, including SZMnG (next generation scalable central measuring procedures) from INFOnline GmbH and services provided by the German Audit Bureau of Circulation (IVW) or the German Association of Online Research (AGOF). We also collect data necessary for ensuring the constant security and functionality of our websites. A more detailed overview of these services and cookies and the options available for partial opt outs (i.e. deactivating tracking) can be found in Section 4. The legal basis for this is also the European Cookie or ePrivacy Directive in conjunction with the German Telemedia Act (Telemediengesetz; Par 12 et seq.) and/or the European General Data Protection Regulation (Art. 6, Par 1, lit. a (consent) and f (legitimate interest).

We recommend the PUR option if you wish to deactivate advertising- or third-party tracking on our website. Simply activating the Do Not Track Mode in your browser is not sufficient. As an alternative, you have the possibility of individually "opting out” of all the service providers that are listed.

The deactivated services are not only blocked for our services, but also generally for the device that you are using. The settings are saved for your device or browser. If you are using more than one browser on more than one device, you must (de-)activate settings on each browser individually, because we are neither able nor permitted to synchronize opt-outs for you. The "PUR” option with log-in, on the other hand, is of course active on all devices.

The list of cookies and services that are used changes from time to time, so please visit this page on a regular basis. We update the information frequently and always in compliance with the legal framework.

However, this in no way affects your fundamental right to data protection. Should we hold personal data about you, you have the right to information and rectification at any time, and in most cases to restriction of processing, erasure, blocking and/or transfer of the data to you. Details about these rights are provided in Section 10. If you have any questions, you can contact us at any time at datenschutz@spiegelgruppe.de.

2 | What we promise you

We will store, process and use your data only in the manner described in this notice, and in compliance with German and European data protection legislation. Naturally, we maintain data secrecy. We treat your data confidentially and do not pass it on to third parties other than to closely associated service providers, who may process subscriptions, payment services, video delivery, or premium and advertising business or other services on our behalf. These service providers are under obligation to use your data only for the purpose provided for in the relevant contract, and not to pass it on to anyone else under any circumstances. When we refer to "we" in this declaration, this also includes these closely associated service providers.

Only when you are registered and logged in with us will your user account – including concrete details about you – be stored in certain cookies, so that you can use our products and services without having to log in every time. All other data collected by way of cookies, device IDs or similar procedures is used pseudonymously and they are not merged with the customer or profile data stored by us. For additional information about advertising tracking, third-party cookies and our analysis of activity on our website, please see Section 1. This data, however, is only used to a limited extent for the personalization of our website, for advertising and for market research, provided you have given your express consent , which can be done in each individual case.

Whenever you visit our websites, we temporarily store the IP address of your Internet access and the pages you call up, or in the apps, the device number, if applicable, so that basic services such as authorization assignment can function. However, we never identify you personally with this data and we always delete this data after 30 days.

The latest SSL security standard (256-bit Secure Socket Layers) is used across all of our products and services. Your data is encrypted directly during transmission and all data protection-relevant information such as credit card number, bank code, bank account number, name and address is stored in encrypted form in a protected database. In order to administer your shopping cart, we need a session cookie (which is deleted when the browser is closed) or, alternatively, a session identifier in the access path of the web pages (12 digits preceded by a dollar sign) that is invalidated after a half hour of inactivity (the shopping cart and data are then discarded).

3 | What we know about you as an individual

• We can only recognize you by your name, your address, your age and other personal details if you have supplied them yourself -- either to us, or perhaps to our implementation partner Plenigo, which is closely integrated into our site and manages digital subscriptions, and which is obliged to protect your data that they process on our behalf -- when, for example, registering for a digital subscription, for the use of our forums or to take advantage of other parts of the website by way of a user account. Data protection information pertaining to classic print subscriptions to DER SPIEGEL can be found here.

• We only know you by your email address if you have used it to directly register with us for a newsletter, forum or a contest, for example, or with one of our cooperation partners such as Newsletter2Go, MailChimp or Salesforce, which send emails on our behalf and which also must protect your data in the framework of our cooperation. In the event of contests, we may pass your data on to prize sponsors for processing -- to send the prize, for example, within the scope of the applicable conditions for participation for each contest.

• We only know you by your mobile phone number if you have actually registered it for a digital service, such as our headline news in WhatsApp or Telegram operated by our partner WhatsBroadcast, which offers a service on our behalf and as a processor must also protect your data. For information about the use of data relating to classic print subscriptions, we refer you to this data protection information.

In each case, we process your data on the basis of your consent and then only use the respective data in the provision of the actual products and services for which you have registered. If you contact us as an identifiable individual, through a contact form, for example, in addition to your name and email address we may also store such details in our system as the time and place a registration takes place or a message is sent to us; the download, purchase or attempted purchase of products or services; in some cases, also the dispatch or opening of newsletters, emails and push messages; also contact via email or interest in individual products or services. As long as and to the extent that we do not need to make the data available due to legal or contractual requirements, you may revoke your consent for usage at any time. This often requires nothing more than unsubscribing from the product or service in question, but naturally this means that you can no longer use it. You can always find more information on unsubscribing directly in the product or service in question. For newsletters, you can unsubscribe directly in the newsletter itself, from the WhatsApp service in WhatsApp, and so on.

Essentially, we only process personal data to fulfill our contractual obligations to our users. We need to process data to be able to, for instance, suggest suitable products and services or information to you. With certain products and services, we have to ensure that access requests come from humans and not automated programs. To prevent such abuses, we use Google's reCaptcha service, which uses a truncated version of your IP address and other necessary data (only in the event of technical outage in Europe, for instance, is it possible that the IP address will be truncated in the USA). The reCaptcha data is not merged with other Google data.

Please note that if you make a purchase through one of our apps, the payment is usually processed by Apple or Google as the operator of the respective app store. The companies receive your order information and link it to your App Store account to complete the purchase transaction and inform us of your eligibility to access paid products like subscriptions. Under no circumstances, however, do we receive your personal profile and payment data from the stores in question – that is the responsibility of the respective app store operators. 

4 | How we analyze the usage of our products and services

Which articles are currently being read? How often? By how many people? How much time do viewers spend watching videos? How often do users visit our sites? For us it is important to learn about the preferences and desires of our readers. That's why we use analysis services which can offer us trending topics in real time and comparison with the competition on a daily or monthly basis. The legal basis for this is the European Cookie or ePrivacy Directive in conjunction with the German Telemedia Act (Telemediengesetz; Par 12 et seq.) and/or the European General Data Protection Regulation (Art. 6, Par 1, lit. a (consent) and f (legitimate interest). These services are largely integrated via the Google Tag Manager, which does not collect any data itself. We also never record you as an individual -- at most we use a pseudonym and we do not present advertising or other products or services on the basis of that information.

Instead, for as long as, and to the extent that you have not decided to obtain a "PUR" subscription, advertising trackers are used, about which you can find further information here.

Irrespective of the consent to advertising tracking, the PUR service also uses "business critical" cookies and tracking technologies, for reach measurement and function assurance in particular. You can find additional information about those cookies here in tabular form, with the names of the respective cookies / tracking services and their attributes.

In addition, the following general information applies:

• Market reach comparison: The aim of the reach measurement is to determine the intensity of use, the number of users of a website and their surfing behavior statistically – i.e. on the basis of standard procedures that are applied in a uniform manner – and to thus obtain comparable values across the market. The company INFOnline analyzes the general reach of our sites and other sites in Germany with anonymized cookies and/or information that your browser automatically transfers – you can find details on anonymization at the end of this declaration. The data is used for official reach comparison by the associations IVW (www.ivw.eu), AGOF (www.agof.de) and agma (www.agma-mmc.de). You can opt out of this measuring in web browsers here ; in apps you can deactivate them in settings (for iOS in iOS Settings > App > AGOF-Zählung, for Android directly in the app menu under Data protection > IVW/AGOF-Zählung). Through the company INFOnline , we also set session cookies from the copyright collective VG Wort, which analyze the use of a specific text without recording your data, not even anonymously. The analysis is performed to estimate how often texts are printed, copied or otherwise reproduced. Authors are then paid a share of the copyright fees to which they are legally entitled. You can also object to the session cookies of VG Wort using the links mentioned above.

• General analysis with Adobe Analytics: To comprehensively optimize our products and services, we use the web analysis service from Adobe, which uses cookies to scan the usage of our websites both in real time and over the long term. The information collected, including your IP address, is transmitted to the service's servers in Europe, where it is anonymized, (replaced by a generic string of characters) and stored. We use this information to evaluate user activity on our website, to compile reports on website activity and to offer personalized services relating to website and internet use. Because of the anonymization process, no personal or pseudonymous data is stored. You can block cookies, and thus also prevent Adobe analytics, by changing your browser settings. Assistance in doing so can be found here .

• General analysis with Google Analytics and supplementary services: To comprehensively optimize our products and services beyond this analysis, in a few stand-alone areas of the site such as abo.spiegel.de, we use the web analysis service Google Analytics, which uses cookies to scan usage both in real time and over the long term. The data is generally transferred to U.S. servers and stored there; however, because we have activated IP anonymization, Google must first truncate your IP address in an EU or EEA country (only in the event of technical outage in Europe, for instance, is the IP address first truncated in the U.S.). Even when you have registered with us through a user account and are logged in, you will never be personally identified in Google Analytics – rather only through a pseudonym that we create from your user account and for which organizational measures prevent any connection to you. In particular, we need this pseudonym to standardize analytics data from your various devices and browsers and to optimize our products and services across them. To learn more about the basic composition of our users – even if many readers are not registered – we also use the AMP Client ID interface to integrate text usage with the rapid AMP standard for mobile devices; we also use Google Advertising Reporting Features to interweave anonymous usage data with demographic and interest data from Google’s DoubleClick advertiser network and the Google advertising services that we use. You can find out more about deactivating cookies from DoubleClick (with whom we share anonymous usage data) in the section on our advertising partners. In each case, Google works on our behalf and guarantees not to merge data from Analytics with other Google data. You can reject the above-mentioned data capture and processing in web browsers here by installing a browser plug-in; in apps you can deactivate it in settings (for iOS in iOS Settings > App > Google Analytics, for Android directly in the app menu under Data protection > Google Analytics).

• Optimization analysis with Google Optimize and Hotjar: We use the analysis service Google Optimize to experimentally configure our sites in a number of different variations and to optimize them using comparative statistics. By using cookies, we can anonymously differentiate between test groups. The data is processed by Google Analytics in the manner described; if you deactivate Google Analytics, your data is not included in the comparative tests. We also use spot samples to analyze movement, clicks or swiping behavior on some of our webpages to improve the structure of our products, services and pages. For this purpose, the European service Hotjar records random and anonymized data during a small share of sessions. As such, it is impossible to identify any individual. This data is stored anonymously in Ireland and deleted after a maximum of 365 days. It can be deleted earlier upon request.

• Usage analysis with Firebase and Pushwoosh: We use the services Firebase and Pushwoosh to bring information into websites and apps in real time, for example push messages in apps. These are integral components of our products and services and cannot be deactivated. Anonymous data is also sent to Firebase and Pushwoosh so that we too may analyze usage.

• App analysis with Localytics: To better understand the usage of our apps for smartphones and tablets, we perform analysis in some apps using the service Localytics – how often they are accessed, what is clicked on, etc. Your data is pseudonymized and you are never identified as an individual. You can deactivate the analysis in settings (for iOS in iOS Settings > App > Deactivate sending of usage data; in Android directly in the app menu under Settings).

• Newsletter statistics: We track clicks from our newsletters to our products and services with the help of the statistics services mentioned, and we also analyze opening and click rates as well as other usage data for individual newsletters with our service providers Newsletter2Go, MailChimp and Salesforce. Your email address is stored in a recipients list used to maintain distributions and sometimes also used in pseudonymized form to send you personalized newsletters tailored to your preferences. You can unsubscribe from the newsletter at any time.

• Market research: In surveys, we may sometimes ask for details on usage of our products and services and for demographic details such as age and sex. Your responses are collected anonymously and separately from other data, meaning no connection can be made to you as an individual. We need this for our own, legally permissible analysis and to present proposals to potential partners, advertising customers and other contacts. Data from accompanying betting games for which you may have submitted your email address, for instance, is recorded separately and not associated with your responses.

• Typeform and CognitoForms: We use these tools in some products and services to present surveys and forms on our pages to enable you to provide us with feedback or send us messages, for example. The data is also stored on servers in the U.S., but it is treated confidentially and only evaluated by a limited group of people in our company. You can find out more about data protection at Typeform and CognitoForms here.

5 | What social networks and external tools can see about you through us

On our site, we integrate posts and recommendation functions from platforms such as Facebook, YouTube, Twitter, Instagram, Giphy, Imgur, Spotify, TikTok or the mapping service Mapbox. These services are inactive by default, but they can be activated by the user. Most of these services are based in the U.S. but are nonetheless subject to the applicable data protection regulations in EU and EEA countries. If, for instance, you actively use a recommendation bar on our site or read an article with an embedded post or YouTube video or Spotify playlist, the embedding technology may transfer general framework data such as your IP address back to the social networks and platforms. We have no influence over the way these platforms use the data, including, in some cases, the creation of user profiles. Please consult Facebook, Twitter, Spotify, TikTok and YouTube, among others, directly for more information, and to adjust your privacy settings.

For social networks and on other external platforms, the companies' respective data protection regulations apply, even if we distribute information and maintain presences there with our brands. With Snapchat, in particular, we are active outside our internet presence, for example with DER SPIEGEL in the network’s Discover section. The U.S. company provides us with its content management system and general usage data, such as the number of hits, the length of usage, the demographics of readers and the usernames of all contacts. You can read the network's data protection rules here.

You can also create a user account with us by connecting to your Facebook account ("Sign in with Facebook” function). In this case, of course, we will not have access to your Facebook log-in information -- the social network's privacy policy applies -- but we will need to obtain your public information and your email address in order to allow you to register with us. This will enable you to set up a user account with us, and you can later unlink Facebook in our login area at any time in order to log in to us independently of Facebook.

6 | How advertising works in our products and services

If you have not decided to take advantage of the paid "PUR" service, advertisements will be served to cover the costs of our products and services. In online advertising, advertisers need reliable information about how many readers view their ads. Moreover, they are interested in preferentially presenting their advertising to those who are likely to be interested in certain products or topics. To enable them to do so, we allow our advertising partners on our free products and services to track usage data for "usage-based" online advertising (in which advertising is tailored to the user's interests), in other words to collect and process it in usage profiles in pseudonymized form ("Ad tracking”). This data helps ensure that you are presented with advertising to which you are likely to be more attentive. You can identify this "advertising tracking" by the OBA symbol, a turquoise triangle with an "i" in the middle. We have explained how you can deactivate tracking by advertising partners and the legal basis that applies at the very beginning of this data protection statement in Section 1.

We have provided an overview of the advertising service providers, the so-called "Third-Party Trackers” approved for use on our free content offerings here. The following advertising partners, which also use tracking options, perform particular functions on our site. In some cases, you may need to unsubscribe from them separately:

• IP Deutschland is jointly responsible with us for data processing in the marketing of our website. To serve personalized advertising based on a person's individual interests and to reach target groups, the company measures reaches, controls the delivery of ads, limits them with so-called frequency capping and employs cookies and other identification options to analyze your clicks. Other sources are also used, including, for example, profile segments from registration areas, device data, behavior patterns in our products and services, at times sociodemographic data or assumptions about them. This also extends beyond our website, but it is always in the form of pseudonymized profiles in which you are never directly identified as an individual. Your data will also only be used for relatively short periods of time. You can find detailed information about the technology, the data used, service providers and participants employed, options for opting out, the storage duration and more here. You can also find all the details about our partnership with IP Deutschland at the end of this data protection statement.

• In addition to the usage analysis with the analytics cookies described above, Google is also integrated as an advertising partner through Google AdWords and can place and use advertising cookies with us according to the same guidelines. If you click on an ad placed by Google, a cookie is stored without personal data that is valid for 30 days and registers your clicks on the ad on our website and is used for statistics. You can opt out here.

• Outbrain presents both individualized advertisements and personal reading recommendations from our products and services at the bottom of articles. The data that appears there is not actually compiled by us, rather it is used solely by the British service provider, which is subject to EU and EEA regulations. To deactivate Outbrain, click here and scroll down to "Opt-out."

• Sparwelt presents voucher deals on article and overview pages in our products and services; this is subject to additional data privacy regulations, which you can find here.

In general, Tracking means that your usage of our products and services is captured, for instance individual clicks, subpages visited, advertising banners viewed, etc. Because such data is related to you as a person, all usage data is saved with a random pseudonym, and this pseudonymous data cannot be personalized again. To enable ads to be tailored to your needs in places where cookies do not work optimally, in apps on smartphones, for example, cookie-like technologies may be used. To prevent this, go to the app "Google Settings" on Android smartphones or scroll down to "Google" in the General Settings app, tap "Ads Settings" and tap the on-off slider next to "Personalized advertising." On iOS devices, for which we use Apple's Advertising Identifier, go to the Settings app, then to "Privacy," then to "Advertising" and make your specific settings.

Finally, we use a service from Sourcepoint to prevent the use of ad blockers on our site. This stores data on usage of our site in cookies to repel advertising blockers and record your settings. All analysis is carried out anonymously and not in a personalized way. Private data such as IP addresses are used only in truncated form. 

7 | What our editorial cooperation partners analyze

In our articles, we often use services from cooperation partners, for surveys or discussion questions, for instance. As with social networks and platforms, the following applies: If, as an example, you read an article with an embedded survey, theoretically general framework data such as your IP address may be transferred back to the social networks and platforms. You can also find more information on their data protection policies on the websites of the cooperation partners:

• Civey: In some products and services, we use this German platform to carry out opinion surveys. Civey also collects data on your personal settings and your voting behavior, which is why you can only fully utilize the service once you log in with your own log-in or through Facebook (in the latter case the social network may theoretically track the fact that you use Civey). If you are not logged in, your voting behavior will be evaluated in anonymized form and a cookie set in each case. Your log-in and voting data is stored in encrypted form on German servers, where it remains confidential and is used solely for survey purposes. You can find out more about data protection details for Civey here.

• Opinary: In some products and services we use this German platform to carry out rapid opinion surveys. Only when you register there are you identifiable as an individual, otherwise a cookie will be set in order to present you with usage-related advertisements; Opinary analyzes the usage of websites and advertising space where it is deployed. You will only be captured using a pseudonym. You can opt out here.

• Playbuzz: In some products and services we use this Israeli platform to present our quizzes and other games and interactive surveys. Playbuzz may set cookies for advertising purposes. This is impeded if you deactivate the use of advertisement cookies in your browsers; your browser and device may be roughly identifiable through characteristics such as operating system and other settings. You can find more data protection details for Playbuzz here. We have neither influence on their data processing nor are we aware of the full extent of the data collection, the purposes or storage periods.

• Datawrapper: We use this service to create editorial information graphics to accompany our articles. When you load these infographics, general usage data is recorded, but not the IP address of your device. In addition, Datawrapper will not pass on any user data to commercial third parties. You can find more about data protection at Datawrapper here.

• Games: Some of our products and services include embedded browser-based games that are provided by our Karlsruhe-based partner kr3m, which stores the log files of the websites and files that are accessed, the associated time data, the browser and operating system and the IP address including the provider. This data is used solely for statistical purposes to optimize security and the product or service itself, but also to track illegal use. In no case is personal data passed on without the user's consent. You can find more about data protection at kr3m here.

8 | How we advertise ourselves

We, too, advertise our products and services on the Internet. We use various options for individualized advertisements with which we aim to reach you and other potential readers directly:

• Google Remarketing: We use Google's Remarketing function to present you with advertisements for our products and services that correspond with your usage preferences in the global Google advertising network. You will be identified in this network through cookies, but not identified as an individual. You can opt out here .

• Facebook Remarketing/Retargeting: We have integrated remarketing tags from the social network in our products and services where appropriate. If you are logged into Facebook, the platform receives the information that you have visited our site, through which we can present you with advertising on Facebook. The transfer of your data as a Facebook user is regulated in the data protection declaration of the network itself. You can deactivate the "custom audiences" setting for your profile here . We do not use the custom audience e-mail procedure.

• Bing Ads: This service from Microsoft, a U.S.-based company, sets a cookie if you access our website through a Bing ad so that we can find out the total number of clicks leading from an ad to our website. Your user profile is only stored in a pseudonymized form. You can opt out here .

• Sovendus: This German service provider offers some of our products for sale on the Internet as an advertising partner. In order to ensure correct billing, the service sets a single pixel at the time of purchase in order to transmit the ordered product in a pseudonymized and encrypted form, including time stamp and IP address, whereby the latter is only used for data security purposes and is normally anonymized after seven days. Details on data protection at Sovendus can be found here.

 9 | Also good to know

The responsible authority for data processing is the company within the SPIEGEL Group named in the respective legal notice (Impressum), represented by its management. You can always contact the SPIEGEL Group, Kennwort Datenschutz, Ericusspitze 1, 20459 Hamburg or send an email to datenschutz@spiegelgruppe.de if you have questions about the way we collect, process or use your data; if you wish to rectify, delete or block such data; or if you have any other general questions that have not been answered. You can find more detailed information about your rights in Section 11. You can also contact the Data Protection Officer for the SPIEGEL Group in this way. We will always address your concern promptly as long as we are not legally prevented from doing so. If we do not address your concern within the legal time limit or fail to address it sufficiently, you may lodge a complaint with the responsible supervisory authority. Generally speaking, the authority applicable to the headquarters of the company is responsible, so for us this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Hamburg Commissioner for Data Protection and Freedom of Information).

One last thing: This declaration applies to all digital products and services of the SPIEGEL Group. When we link to other websites, we have no influence and no control over whether the service provider complies with data protection provisions. If you wish to raise possible problems on a linked site or with one of our partners, please email us.

10 | Details about your rights

GDPR Article 15: Data Subject Access Rights
You have the right to obtain information from us about the personal data we process.

GDPR Article 16: Right of rectification
If the data concerning you is inaccurate or incomplete, you may request the rectification of incorrect information or the completion of incomplete information.

GDPR Article 17: Right to erasure
 In accordance with Art. 17 of GDPR, you can request the erasure of your personal data. Your right to erasure depends, among other things, on whether the data concerning you is still needed by us to fulfil our legal or contractual obligations.

GDPR Article 18: Right to restriction of processing
In accordance with Art. 18 of GDPR, you have the right to request that the processing of personal data concerning you be restricted.

GDPR Article 21: Right to object
 For reasons relating to your particular situation, you have the right to object to the processing of personal data concerning you at any time.

Art. 7 para. 1 of GDPR: Right to withdraw consent
 You have the right to withdraw your consent for the processing of your personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Version: 2020.002                                                                             

Date: February 15, 2020

11 | Details on individual services

 Our websites use the measurement procedure known as "next-generation innovative scalable central measurement process," or SZMnG, from INFOnline GmbH for calculating key statistical figures on the usage of our products and services. The goal of usage measurement is to statistically determine the number of visits to our websites, the number of website visitors and their surfing behavior – on the basis of a uniform standard procedure – and so obtain values that are comparable across the market. For all digital products and services that are members of the Informationsgemeinschaft zur Feststellung der Verbreitung von Werbeträgern e.V. (IVW; German Audit Bureau of Circulation) or take part in studies of the Arbeitsgemeinschaft Online-Forschung e.V. (AGOF; Working Group for Online Media Research), usage statistics on reach are regularly processed further by AGOF and the Arbeitsgemeinschaft Media-Analyse e.V. (agma; Media Analysis Working Group) and published with the performance value "unique user" as well as the performance values "page impression" and "visits" from IVW. These reach values and statistics can be seen on the respective websites.

1. Legal basis for processing

Measurement using INFOnline GmbH's SZMnG process is carried out on the basis of legitimate interest as defined by Art. 6, para 1, lit. f of the GDPR. The purpose of processing personal data is the generation of statistics and the formation of user categories. The statistics help us understand and verify the usage of products and services. The user categories form the basis for provision of advertising material and/or advertising measures aligned with your interests. For the marketing of our website, usage measurement that guarantees comparability with other market participants is essential. Our legitimate interest arises from the economic usability of the findings generated by statistics and user categories and the market value of our website – including direct comparison with the websites of third parties – which can be determined using statistics. Moreover, we have a legitimate interest in making available the pseudonymized data from INFOnline, AGOF, agma and IVW for the purposes of market research (AGOF, agma) and for statistical purposes (INFOnline, IVW). Moreover, we have a legitimate interest in making available the pseudonymized data from INFOnline for further development and provision of advertising materials aligned with interests.

2. Type of data

INFOnline GmbH collects the following data which, according to the GDPR, may contain references to individuals:

• IP address: Every device on the Internet requires a unique address for the transfer of data – the IP address. Because of the way the Internet works it is a technical requirement that the IP address be stored at least in the short term. IP addresses are reduced by 1 byte before any processing and only processed further anonymously. There is no saving or further processing of non-truncated IP addresses.

• A randomly generated client identifier: To identify computer systems, reach processing uses either a third-party cookie, a first-party cookie, a "local storage object" or a signature generated from a range of information automatically transferred by your browser. This identifier can uniquely identify a browser as long as the cookie or local storage object is not deleted. Measurement of data and subsequent allocation to the relevant client identifier is therefore also possible if you access other websites that use INFOnline GmbH's measurement process ("SZMnG").

The validity of cookies is restricted to a maximum of one year.

3. Usage of data

INFOnline GmbH's measurement process, which is used on this website, communicates usage data. This occurs for the collection of the performance values "page impressions," "visits" and "clients" and to generate other key figures from them (e.g. qualified clients). Moreover, we may use the measurement data as follows:

• "Geo-localization," the allocation of website access to the location from which it was accessed, occurs solely on the basis of the anonymized IP address and only to the geographical level of state/region. The geographic information gathered in this way can never be used to allow deduction of a user's precise whereabouts.

• The usage data of a technical client (e.g. a browser on a device) is compiled across websites and stored in a database. This information is used for technical estimation of the demographic details of age and sex and transferred to the AGOF service provider for further reach processing. As part of the AGOF study, a random sample of social characteristics is used to provide a technical estimate that allows assignment to the following categories: age, sex, nationality, profession, marital status, general household details, household income, place of residence, Internet usage, online interests, usage location, user type.

4. Storage duration of the data

INFOnline GmbH does not store the complete IP address. The truncated IP address is stored for a maximum of 60 days. The usage data in connection with the unique identifier is stored for a maximum of six months.

5. Transfer of data

Neither the IP address nor the truncated IP address is transferred. In generating the AGOF study, data is transferred to the following AGOF service providers with client identifiers:

• Kantar Deutschland GmbH

• Ankordata GmbH & Co. KG

• Interrogare GmbH

 6. Rights of data subjects

Data subjects have the following rights:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to object (Art. 21 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restriction of processing (Art. 18 et seq. GDPR)

• Right to data portability (Art. 20 GDPR)

For any inquiries related to these rights, please contact datenschutz@spiegelgruppe.de. Please note that for this type of inquiry, we must be able to establish that we are dealing with the data subject. The data subject has the right to lodge a complaint with the data protection authorities. You can find further information on the measurement process on the website of INFOnline GmbH, which operates the measurement process, the data protection website of AGOF and the data protection website of IVW.

About Our Partnership with IP Deutschland GmbH

1) Overview

Various companies are involved in the marketing of our Internet products and services, both in the collection of data and in the serving of advertising. These companies play different roles. In some cases, they are individually responsible for data processing (controller) or act purely as a service provider carrying out the instructions of a controller (processor). In the context of advertising marketing, IP Deutschland GmbH, Picassoplatz 1, 50679 Cologne, Germany, e-mail: kontakt@ip.de , is responsible and are thus, together with us, "joint controllers" under Article 26 of the EU General Data Protection Regulation in terms of our internet products and services. You can find more details about this, about roles and about other responsible parties here.

2) Collection of data in the context of marketing (tracking, profiling, etc. …)

In order to personalize advertising, design it according to interests and find suitable target groups, to collect information for billing, measure reach and control/limit the serving of ads through frequency capping, a system is used in online advertising that examines user behavior and produces pseudonymized profiles of users, which can then be used in the serving of advertising. As part of that process, products and services that have been visited, content that has been clicked on, etc., are captured and stored. This data is stored within a profile in a database that can be accessed with a cookie or by another means of identification. Names and personal data of users are not stored. The cookie is essentially a pseudonym and does not contain the real name or identity of the user. In some cases, data from other sources, e.g. parts of profiles from registered areas or also technical data about the device used, the time the activity occurred or data from party sources can also be stored. Behavior patterns of users of our products and services are stored and analyzed within the profile and it is in part supplemented by sociodemographic data or assumptions about sociodemographic data (so-called statistical twins of profiles with known data that are compared based on similar or identical surfing behavior). The formation of this profile is also possible across networks, i.e. across a number of internet products or services.

3) Legal basis

Both the operators of the products and services and the other marketers and other entities that serve advertising on the products and services have a legitimate interest in marketing and monetizing their (marketed) products and services through the target group-specific serving of advertising as well as measuring the reach and controlling the serving of advertising with the use of frequency capping. The same applies to the creation of user profiles that make this possible in the first place. This purpose could not be achieved without data processing. Given the pseudonymous nature of the data, users of the products and services will not be individually identifiable to us or our marketers beyond the recognition of the browser and end devices used. Incursions on the user's right of informational self-determination are justified by the fact that the user's data is pseudonymized and is only used for relatively short periods of time. Because users are informed transparently of the procedures used in data protection statements and are also provided with effective possibilities for opting out, incursions on users' rights are minimal and at the expected level. Furthermore, no profiles are produced that focus on children. The legal basis for all processing of data in the scope of marketing is Art. 6 1f of the GDPR ("legitimate interests") or § 15, para. 3 of the German Telemedia Act (Telemediengesetzt).

4) Detailed information about options for objecting

• Information about marketers and technology opt-out opportunities

Here, you can find detailed information about the individual data processing procedures and the service providers and participants involved. This overview contains general and detailed information about the names and addresses of the companies that collect, process and/or make personal data available to other third parties, the data categories collected, the purpose of processing and the opt-out options, recipients of data, transfer to third countries, duration of storage and data sources and provides the ability to contact the data protection officer of IP Deutschland GmbH.

• Advertising IDs for mobile apps

To enable advertisements to be delivered in services that lack cookie technology – in mobile apps, for example – technologies similar to cookies may be employed. To disable personalized advertising on your mobile device, please follow the instructions below.

Android

1. Depending on the device, you will find Google Settings at one of the following places:

a. in a separate app called Google Settings

b. scroll through your main Settings app and tap Google

2. Tap on Ads

3. Tap the on-off slider to deactivate personalized ads

iOS

iOS devices use Apple's Advertising Identifier. You can find further information about the different possibilities for using this identifier in the app settings on your device.

You can find it as follows:

1. Tap "Settings"

2. Tap "Privacy"

3. Tap "Advertising." From there, you select specific settings using a slider.

Right to object

Should you not wish to take part in measurement on websites, you can object at the following link: https://optout.ioam.de. For technical reasons a cookie must be set to guarantee your exclusion from measuring. Should you delete the cookies in your browser, you will need to repeat the opt-out process at the link above. In applications, you can opt out of this measuring here; in apps you can deactivate them in settings (for iOS in iOS Settings > App > AGOF-Zählung, for Android directly in the app menu under Data protection > IVW/AGOF-Zählung).