Data privacy statement

To give the summary first: I am extremely stingy when processing your personal data.

• These web pages have no forms or other means of collecting data.

• My web pages embed almost no external resources. At this point in time, the single exception embeds only after you have ordered that embedding to happen via an extra click.

Controller

Andreas Krüger
Herweghstr. 13
12487 Berlin

Phone: +49 30 98 32 4321
Email: See bottom of page.

IP addresses

The personal data processed by my web site are IP addresses.

My server uses this data to send its answers (i.e., my content) back to you. (Every web server does this.)

Beyond that, I anonymize the IP addresses and store the anonymized version in a typical web server log. But, strictly speaking, for a certain window of time, the IP addresses are not yet fully anonymous, but only pseudonymous.

I use a technical procedure that generates the anonymous IP address from the original, real one and a random number via a so-called “hash” function. The random number used for this is kept in use for 24 hours and is deleted after 48 hours.

For the intermediate time when the deletion has not yet happened, the IP address is not fully anonymous yet. It is pseudonymous data. Using the random number (and some trial and error), the original IP address can be regained - at least with a certain probability.

After 48 hours, the random number that has been used the previous day is deleted. That deletion instantaneously turns the pseudonymous IP numbers in the logs into anonymous IP numbers. So those IP numbers are no longer personal data.

The way of turning real IP addresses into anonymous IP addresses allows me to track “click tracks” on my web pages, even if those stretch a few hours. This helps me when I optimize my offers. I am not at all interested in knowing which particular individuals left those “click tracks”.

So, for my purpose, I have no need to reconstruct the real IP addresses from the pseudonymous data during those initial hours. I simply don’t do it. In this situation, there is no legal obligation that requires me to implement the processing needed and keep additional data just to grant the typical personal data rights of information, deletion, and the like.

It remains uncertain whether my processing of those anonymous or pseudonymous IP addresses is still personal or household activity or already falls under the European GDPR. I presume the former is the case. Just to be on the safe side, let me mention that, even in the latter case, optimizing my offer is my legitimate interest (in GDPR terms). That entitles me to keep pseudonymous IP addresses for 48 hours. Also in this latter case, you are entitled to lodge a complaint with the pertinent supervisory authority.

Attackers

The servers administered by me provide certain private services. These services are only to be used by myself, members of my family, and personal friends. A separate data privacy statement governs these services.

These non-public services are protected by pertinent technical means (like cryptography and authentication procedures). Those services are being attacked from unbidden parties, several thousands of attacks per day are customary. I have a legitimate interest to analyze these attacks, ward them off, and collect intelligence towards legal prosecution. I collect IP addresses and other potentially personal data connected with those attacks.

I reserve the right to forward such data to police, prosecutors, and similar. I reserve the right to keep such data as long as it is potentially useful for prosecution.

If you have attempted to access my private services unbidden, I will call you an attacker in what follows. In conformance with GDPR regulations, I grant each attacker the right to obtain information from me regarding personal data concerning her or him, the right to be informed about the categories of such data, and the right to obtain said data itself, finally, in as far as the data is no longer useful for my purposes as mentioned, to cause the data to be deleted. You are outright entitled to all of the above in the case that my data processing is under GDPR, as opposed to personal and household activity, which is somewhat uncertain, but I grant these rights to you nevertheless. In either case, I need certainty that you as the requester of any of the above are actually the person behind, e.g., a particular IP address. I cannot act on any request from your part without pertinent proofs from your side.

If the GDPR is applicable, you are entitled to lodge a complaint with the pertinent supervisory authority.