Below we will inform you about the protection of your personal data. You can be assured that we will treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection declaration. However, we must point out that data transmission in the internet (e.g. when communicating by email) may have gaps in security. Complete protection of data from third-party access is not possible.


This privacy policy applies to all data processing by:

Förderkreis Mahnmal St. Nikolai e.V.
Willy-Brandt-Straße 60
20457 Hamburg
Telefon: 040 / 429 033 26
Authorized representative of the board of directors: Dr. Martin Schau
Registered at the local court of Hamburg, Association register no. 11678


The following terms are used in this privacy statement:

1 Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter „data subject“). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more specific characteristics which are, inter alia, an expression of the economic, cultural or social identity of that natural person.

2 Data subject

Data subject means any identified or identifiable natural person whose personal data are processed by the controller.

3 Processing

Processing“ means any operation or set of operations which is carried out with or without the aid of automated processes and which relates to personal data, such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or association, qualification, erasure or destruction.


Below you will find out whether and, if so, which personal data we process within the scope of the various possibilities of establishing contact. In the interests of clarity, we have initially divided our information about data recording and data processing according to how the contact with you was made, whether via our website (below 1), our Facebook Fanpage (2) or otherwise (3).


1.1 Calling up the website

When calling up our website the browser used on your terminal will automatically send information to our website server. This information will be stored temporarily in a so-called logfile. The following information will be recorded here without any actions from you and stored until it is automatically erased:

  • IP address of the requesting computer, anonymised
  • Date and time of the access,
  • Name and URL of the file called up,
  • Website from which access was made (referrer URL),
  • Browser and, if necessary, the operating system on your computer and the name of your accessprovider.

We will process the data specified for the following purposes:

  • Guaranteeing a smooth connection on the website,
  • Guaranteeing convenient use of our website,
  • Evaluating system security and stability.The legal basis for data processing is Art. 6 (1) sentence 1 f) GDPR. Our legitimate interest results from the data collection purposes listed above. In this connection, we will not use the data collected for the purposes of drawing conclusions about you.

1.2 Using our contact form

On our website we offer the possibility to contact us via a form provided there for the purpose of providing personal advice. In doing so, it is necessary to disclose your name as well as to disclose a valid email address so that we know where the request has come from and are able to meet your wishes accordingly.

Our data processing of the disclosures you have entered is done as per Art. 6 (1) sentence 1 b) GDPR on the basis of fulfilling your request.

1.3 Membership application

On our website you can download forms for applying for membership (private membership/company membership). It is not possible to enter data online via our website. Under section 3.1 of this data protection declaration, you will learn how we process your data in the event that a membership application is sent to us.

1.4 Using PayPal

We offer visitors to our website the opportunity to make donation payments to our association via PayPal. By pressing the donation button, a connection to the payment service PayPal is established and your IP address is transmitted.

PayPal then collects the payment information you entered to process the payment. Payment is subject to PayPal’s terms and conditions and privacy policy, which are available on the respective websites, transaction applications or alternatively here directly at ( For the assertion of rights against PayPal, we refer you to the PayPal data protection declaration under the aforementioned link.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.If the person concerned selects „PayPal“ as the payment option, the data of the person concerned is automatically transferred to PayPal.

The data processed by PayPal includes inventory data such as name and address, bank details such as account or credit card numbers, passwords, TANs and checksums, as well as the donation amount and recipient details. The information is required to complete the transactions. However, the data entered will only be processed and stored by PayPal.This means that we do not receive any account- or credit card-related information, but only information with confirmation of payment. Under certain circumstances, the data may be transmitted by PayPal to credit agencies. The purpose of this transmission is to check identity and creditworthiness. Please refer to PayPal’s terms and conditions and privacy policy.

We use PayPal as an external payment service provider on the basis of our legitimate interests pursuant to Art. 6 (1) sentence a f) GDPR in order to offer our donors an effective and secure means of payment.

1.5 Cookies

We do not use cookies on our website.

1.6 Analysis tools/Tracking tools

We do not use any tracking tools on our website.

1.7 Social Media Plug-Ins

We do not use social media plug-ins on our website. You can reach our online presence on Facebook by activating the link provided on our website. When you visit our website this will not case data to be transmitted to Facebook, this will only happen when you visit our Facebook fan page by activating the link.

2 Social Media (Facebook and Twitter)

2.1 Facebook fan page

We have set up a page on Facebook on the basis of our legitimate interests according to Art. 6 (1) sentence 1 f GDPR. On that page we inform you about the latest news as well as about our events/activities. You can “Like”our fan page in order to keep up to date. Depending on how you have configured your privacy settings, we can see that you have given us a Like. If you mark your participation in one of our events on Facebook, this data will not be transmitted to us automatically. We also analyse the page views and interactions on our Facebook page. For this purpose, Facebook creates usage profiles and provides us with anonymous data only.

As a platform provider, Facebook processes the personal data of its users and visitors, draws up statistics and possibly user profiles, and uses this data for advertising purposes. This data can also be used for market and opinion research. Your information will be recorded via cookies and can be supported in that you are logged on to the platform.

The processing detailed above relates to our legitimate interest as per Art. 6 (1) sentence 1 f) GDPR to provide you with the best possible information about our association.

In the event of information requests and the assertion of user rights we would like to point out that these canbe asserted most effectively on Facebook. Only Facebook has access to users’ data, can take the appropriate

actions directly and provide information. However, you can send your request to us, of course, and we will forward this to Facebook. If you require any further assistance, please contact us.

Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. The controller responsible under data protection law is:
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
You will find further information about how Facebook processes data at: Agreement on the joint processing of personal data:

Facebook participates and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework (Privacy Shield Frameworks) as set forth by the U.S. Department of Commerce, The Privacy Shield Frameworks are an item of data protection certification provided by the USA. It allows companies to prove they have a set level of data protection. You will find information about the Privacy Shield (US data protection certificate) at:

An opt-out is possible at: and

2.2 Twitter

We have integrated   functions and contents of Twitter to our online services. Twitter is offered by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland is responsible for the data processing of persons living outside the United States.

We would like to point out that you use Twitter short message service offered here and its related functions in your own responsibility. This applies in particular to the use of the interactive functions (e.g. share, evaluate). Please find further information in Twitter’s privacy policy:

Twitter Inc. is committed to the principles of the EU-US Privacy Shield. You can find out more at:

3 Data processing outside of the use of our website

We process personal data outside the use of our website or Facebook Fanpage as shown below.

3.1 Members, interested parties

In the context of our association activity we process the following personal data of our personal members as well as those interested in a membership:

  • First name and surname and address
  • Telephone number (landline and/or mobile) and E-Mail (optional)
  • Entry date, termination date
  • Kind of membership
  • Payment information

The processing is necessary for the purpose of member administration and the handling of enquiries. The legal basis for the processing is Art. 6 (1) sentence 1 b) GDPR.

3.2 Donors

In the context of our association activity we process the following personal data of donors:

  • First name and surname
  • Address
  • Telephone number (landline and/or mobile) and E-Mail (optional)
  • Donation amount

The processing is necessary for the purpose of fulfilling the purpose of the statutes as well as for the completion of inquiries. The legal basis for the processing is Art. 6 (1) sentence 1 b) GDPR.

3.3 Business partners (e.g. tenants, service providers)

We may store contact details of our business partners (e.g. tenants of our event location, service providers) as well as contact details of the person in charge for the purposes of preparing, concluding and executing contracts.

The processing is necessary for the purpose of fulfilling the purpose of the statutes as well as for the completion of inquiries. The legal basis for the processing is Art. 6 (1) sentence 1 b) GDPR.

The legal basis for processing contact details of the person in charge is Art. 6 (1) sentence 1 f) GDPR. Our legitimate interest follows from our justified interest in a simplified contract winding up by means of direct establishment of contact with the responsible person.

3.4 Visitors of the memorial/our events /guestbook entries

Within the scope of the statutory operation of the memorial, it is possible that we process personal data (primarily photographs) of visitors. If visitors make entries into our guestbook, we reserve the right to anonymously publish such the entries on our website and/or our Facebook fan page.

and/or for the documentation of the respective event, reporting and advertising of future events. The processing takes place in relation to the photographed visitors due to our legitimate interest in our external presentation to the public. The legal basis for the processing is Art. 6 (1) sentence 1 f) GDPR. We expressly point out here that the persons photographed are entitled to a right of objection (see below VI.3.2).


In the following we inform you to whom we pass your personal data on if necessary on the basis of which legal basis.

1 Recipients (categories)

We will transfer personal data to third parties only if this is necessary for the fulfilment of our statutory purposes or our obligations and/or the enforcement of our rights.

We will primarily transfer your personal data to third parties that are service partners involved in executing contracts, such as in particular tax consultants as well as banks and PayPal (please find further information above under point III.1.4).

We publish photographs of visitors on our website and on our Facebook fan page for the purpose of presenting our organisation to the public.

Furthermore, the transmission of your data within the scope of legally permissible transfer to the following third parties may come into consideration: order processors to whom we transmit your personal data to conduct the business relationship or to whom we permit access to your data that we store. In detail: supporting/maintaining EDP-IT applications; archiving; data destruction. If these service providers act as processors, we have concluded corresponding processing agreements ensuring that also subcontractors are bound accordingly.

We also transfer data to courts, arbitration tribunals, government agencies or legal advisors if this is necessary to comply with applicable law or to assert, exercise or defend legal claims.

In cases in which your personal data is forwarded to third parties, the scope of the data transmitted will, however, be kept to the necessary minimum.

2 Authorisation for transferral

We will only transmit your personal data to third parties if:

  • This is legally permissible and required as per Art. 6 (1) sentence 1 b) GDPR to execute contractualrelationships with you,
  • There is a legal obligation for the transfer as per Art. 6 (1) sentence 1 c) GDPR and/or
  • Transfer is required as per Art. 6 (1) sentence 1 f) GDPR to assert, exercise or defend against legalclaims and there is no reason to assume that you have an interest requiring protection in the non- transfer of your data that outweighs this.

We will only transfer your personal data for other purposes if you have given your explicit consent, Art. 6 (1) sentence 1 a) GDPR.


Data will be deleted – subject to the assertion of rights listed below under point VI – as soon as they are no longer required for the purpose of its processing. In detail:

1 Visit to the Website

If you visit our website without using our contact form, your data will be erased within 24 hours after the end of the browser session/after you have closed your browser.

The personal data we collect for using the contact form (see above III.1.2) will be automatically erased after the completion of the request made by you and, if no membership or other contract is concluded, after 15 months at the latest.

Personal data processed in connection with a payment to us via PayPal will be stored for the duration of the contractual relationship with you as well as on the basis of Article 6 (1) sentence 1 ) GDPR beyond that, if we are obliged to a longer storage (up to 11 years) due to tax and commercial storage and documentation obligations ( according to German Code of Commercial Law, German Criminal Code or German Fiscal Code ) or other legal obligations.

2 Facebook Fanpage

Personal data that we generate by our Fanpage on Facebook are no stored anywhere else but on Facebook. Deletion of such data on Facebook takes place to the extent possible to us only in the case of objection of the person concerned.

3 Other personal data

Other personal data will be deleted as soon as they are no longer required for the purpose of their processing. In detail:

3.1 Membership

Personal data that we process necessarily from members in connection with their membership will be stored until termination of membership. Upon termination of membership, the personal data will be deleted or alternatively archived after 12 months at the latest, provided that processing within the scope of the original membership – e.g. in the event of a legal dispute – and subject to statutory retention periods. Within the scope of possible archiving, processing will only take place for the purpose of proving the history of our association. The archived data are blocked for any other processing. Data that are not relevant for the history (especially contact and payment data) will be deleted after the above mentioned period.

3.2 Donors, Business partners, Visitors, other concerned persons

Personal data which we process within the framework of a contractual relationship or a donation shall be deleted at the latest 24 months after termination of the respective contractual/business relationship, unless we are obliged to store such data for a longer period of time pursuant to Article 6 (1) sentence 1 c) GDPR, due to tax and commercial law storage and documentation obligations (according to German Code of Commercial Law, German Criminal Code or German Fiscal Code) or other legal obligations.

Personal data processed on the basis of an enquiry or another contact outside of an existing membership or another contractual/business relationship (e.g. room rental) with us will be deleted at the latest 24 months after completion unless a contract is concluded.

We will only storage your personal data beyond the above mentioned deletion deadlines if you have given your explicit consent, Art. 6 (1) sentence 1 a) GDPR.

Photographs of affected persons in connection with a visit to the memorial or other events of the association are excluded. These are generally archived for an indefinite period of time for the purpose of the association’s history.


You are entitled to the following rights with regard to the processing of your personal data:

1 General rights

You have the right:

  • as per Art. 15 GDPR to demand to be informed free of charge about your personal data that weprocess. In particular, you can demand to be informed about the purposes of processing, the category of personal data, the categories of recipients that disclosures of your data are or were made to, the planned storage period, the right to rectification, erasure, restriction of processing or objection, the right to complain, the origin of your data if we did not collect this and any automatic decision-making including profiling and, if necessary meaningful information about the details of these;
  • as per Art. 16 GDPR to demand the rectification of incorrect data or completion of your personal data that we store;
  • as per Art. 17 GDPR to demand the erasure of your personal data that we store if the processing is not required to exercise the right of freedom of speech and information, to meet a legal obligation, for reasons of public interest or to assert, exercise or defend against legal claims;
  • as per Art. 18 GDPR to demand the restriction of processing of your personal data if you dispute the accuracy of the data, processing is illegal, but you reject erasure and we no longer require the data, however, you require this to assert, exercise or defend against legal claims or as per Art. 21 GDPR you have objected to processing;
  • as per Art. 20 GDPR to demand receipt of your personal data that you have provided to us in a structured, common and machine-readable format or transmission to another controller;
  • as per Art. 7 (3) GDPR to withdraw any consent you have given us at any time. The consequence of this is that we must not continue data processing that related to this consent and

2 Right to complain

If you are of the opinion that the processing of your personal data concerning by us is inadmissible, you have the right to complain to the supervisory authority responsible for us in accordance with Art. 77 GDPR. This will normally be the supervisory authority of your usual place of residence or workplace or at our corporate headquarters.

3 Right of withdrawal and Right to object

You have the following rights:

3.1 Right to revoke consents

You have the right to revoke consents granted pursuant to Art. 7 (3) GDPR with effect for the future.

3.2 Right to object

If your personal data is processed on the basis of legitimate interests as per Art. 6 (1) sentence 1 f) GDPR, you have the right as per Art. 21 GDPR to object to the processing of your personal data if there are reasons resulting from your particular situation. Please note that the contradiction is only effective for the future. Processing that took place before the opposition is not affected.

4 Assertion of your rights

If you want to exercise your right to withdraw consent or to object, just send an email to info@mahnmal-st-

VII. Data security

As part of your visit to the website we use the common SSL procedure (Secure Socket Layer) in combination with the respectively highest level of encryption that is supported by your browser. This is usually 256-bit encryption. If your browser does not support 256-bit encryption, we will use 128-bit v3 technology instead. You can recognise an encrypted connection in that the address line of the browser will change from “http://” to “https://” and from the lock symbol in your browser line.When SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Otherwise, we use suitable technical and organisational security measures to protect your data against accidental or deliberate manipulations, partial or complete loss, destruction or against unauthorised third- party access. Our security measures will be continuously improved in accordance with technological development.

VIII. Topicality of our Privacy Policy

This Privacy Policy is currently valid and is the version of May 2019.