Privacy Statement

This privacy policy includes the “Duty to Inform When Collecting Personal Data from the Data Subject” in accordance with Article 13 of the General Data Protection Regulation (GDPR).

§1 Name and Address of the Controller

The data controller is:

Drupal e. V. – German Drupal Association
Osloer Straße 17
13359 Berlin
Germany
vorstand@drupal.de

 

§2 Data Collection and Processing

1. Membership Management

Upon joining, the association collects the following data (some of which are optional):

For individual memberships:

  • Salutation

  • Academic title

  • First and last name

  • Address

  • Date of birth

  • Email address

  • Phone number

  • drupal.org username

  • DrupalCenter username

  • IRC username

For corporate memberships:

  • Company name

  • Salutation

  • Academic title

  • First and last name

  • Address

  • Date of birth of the contact person

  • Email address

  • Email address for invoicing

  • Phone number

  • drupal.org username

  • DrupalCenter username

  • IRC username

This data is stored in our IT system and protected against unauthorized access through appropriate technical and organizational measures.

2. Event Tickets

We use a self-hosted ticketing system (Pretix Community Edition, Free and Open Source), operated on a server located in Germany under the direct control of Drupal e. V.

Board members and event organizers of DrupalCamps and other events organized by the association have access to personal data stored in Pretix (event organizers only to the data relevant to their event).

Employers may register their team members. The following personal data may be provided:

  • First and last name

  • Optional: email address

  • Optional: T-shirt size

  • Optional: responses to questions such as willingness to volunteer

For the payment method, the following information is stored:

  • Payment type

  • Payment ID (encrypted)

  • Payment status (e.g., “completed” or “insufficient funds”)

More on Pretix privacy: https://pretix.eu/about/de/privacy

a) Payment Provider

All ticket payments are processed via Stripe. Stripe complies with high security standards. The backend does not provide access to payment details.

All credit card numbers are stored encrypted with AES-256. The infrastructure for storing, decrypting, and transmitting payment data runs on separate physical infrastructure. More info: https://stripe.com/docs/security/stripe

b) Ticketshop API

Pretix provides an API that allows access to participant information, but only with an access key and only if activated for an event. We currently do not use this feature.

c) Name Lists, Name Tags

For access control, we may generate name lists and/or name tags from the provided data. These lists and unissued tags will be destroyed shortly after the event. Participant lists are not shared with third parties (except when published on websites by the participants themselves).

§3 Use of Data and Recipients

Data is only transmitted to third parties to fulfill contracts directly related to the data collection.

§4 Purpose and Legal Basis

The legal basis for processing personal data is Art. 6(1)(b) GDPR, as it is necessary for fulfilling a contract – i.e., the association membership.

The primary purpose of collecting, processing, and using personal data is member management and achieving the association’s goals. The association may be required to transmit data to related organizations as part of its memberships.

Processing is also based on the legitimate interests of the association (Art. 6(1)(f) GDPR). Additional data collection and publication (e.g., in publications or online) require written consent in accordance with Art. 7 GDPR.

Consent must be provided using a specific form and can be withdrawn at any time in writing without negative consequences, effective going forward: vorstand@drupal.de

§5 Deletion and Blocking of Personal Data

We process and store personal data only for as long as necessary for the intended purpose or as required by law.

Once the purpose is fulfilled or the legal retention period expires, data will be deleted or blocked as per legal requirements.

When a member leaves the association, their personal data is removed from the membership system. Financial data is retained for up to ten years in compliance with tax laws and is blocked during this period.

§6 Your Rights

Members or event participants have the right to request information, correction, and deletion of stored data (unless Art. 6(1)(b) or (f) GDPR applies). This also applies to restriction or objection to processing or transmission.

Requests must be submitted in writing to the board.

If you believe your data is being processed unlawfully or your rights have been violated, you can lodge a complaint with the relevant data protection authority.

§8 Right to Object and Withdraw Consent

Requests for information, correction, deletion, or withdrawal of previously granted consent for data use can be submitted informally to:

vorstand@drupal.de