Data Privacy

Contact Information Kopiert!

The entity responsible for data protection under the General Data Protection Regulation (GDPR) is:

Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
Suttner-Nobel-Allee 4, 44803 Bochum
hallo@zendis.de 

For questions regarding data protection, you may also contact our Data Protection Officer directly at: datenschutz@zendis.de or by mail to the address of the controller, addressed to the Data Protection Officer.

Your General Rights Kopiert!

Below is a summary of your general rights under the GDPR regarding the personal data processed by us. For explanations of legal terms, please refer to the definitions provided in the GDPR (see Article 4). If anything remains unclear, feel free to contact us.

• Withdrawal of Consent: You may withdraw any consent given for the processing or sharing of your data at any time with future effect (Article 7(3) GDPR).
• Right to Object: If the legal basis for processing your data is a legitimate interest under Article 6(1)(f) GDPR, you have the right to object to the data processing under Article 21 GDPR.
• If the data processing involves direct marketing, no explanation for your objection is required. In all other cases, you must provide reasons based on your particular situation that justify your objection.
• Correction of Data: If we have stored incorrect information about you, you have the right to request its correction (Article 16 GDPR).
• Access to Data: You may request information about the data we process about you (Article 15 GDPR, § 34 BDSG).
• Deletion or Restriction: You may request the deletion or restriction of your data, provided that no overriding retention obligations prevent this (Articles 17 and 18 GDPR, § 35 BDSG).
• Data Portability: You may request that we provide the data you have supplied to us in a machine-readable format for transfer to third parties (Article 20 GDPR).
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, such as the Federal Commissioner for Data Protection and Freedom of Information, regarding any data protection issues related to us.

General Information on Data Processing Kopiert!

All processing of personal data requires a legal basis permitting such processing. The legal basis primarily depends on the purpose of the data processing. The lawfulness of a legal basis is generally determined by the specific scope of the data processing and the measures we implement to protect your data.

The legal bases for data processing are derived from Article 6(1) GDPR and, for particularly sensitive data such as health data, Article 9(2) GDPR. These provisions primarily cite the preparation or fulfillment of contractual, legal, or societal obligations as the main legal grounds for data processing. Additionally, many data processing activities are based on our legitimate interest, provided that the interests of the data subjects do not outweigh ours in the specific circumstances. When one of the aforementioned legal bases applies, no further consent from you is required for the processing.

Furthermore, data processing may occur based on your consent (Article 7 GDPR) or, for individuals under 16 years of age using information society services (e.g., websites, online games, social media platforms), with the consent of a parent or guardian (Article 8 GDPR).

In some cases, our obligation to obtain your consent arises not only or not exclusively from the GDPR but also from the Telecommunications Telemedia Data Protection Act (TDDDG) or the Unfair Competition Act (UWG). We have taken the obligations under these laws into account without explicitly mentioning them below.

If data is transferred to a country outside the European Economic Area (EEA), we ensure that data protection is safeguarded in accordance with Articles 44–49 GDPR. Such a transfer to a country outside the EEA is referred to as a "third-country transfer" in data protection law.

General Notice on Cookies Kopiert!

Cookies are text entries stored by your browser on your device when you visit a website. A cookie can store various types of information. In some cases, a cookie only stores a simple "yes" or "no" (e.g., "true" or "false") or a country code like "de" for the German language. Other times, it stores a string of characters enabling the unique identification of the browser upon revisiting the website (a so-called Cookie ID).

The right to set cookies is not determined solely by the GDPR but primarily by § 25 of the Telecommunications Telemedia Data Protection Act (TDDDG). This regulation distinguishes between cookies that are strictly necessary for the operation of an online offering (essential cookies) and those that are not. Essential cookies may be set without consent, whereas non-essential cookies always require consent—even if such consent is not required under the GDPR.

Before we store non-essential cookies on your device, we will ask for your consent in accordance with § 25 TDDDG. The purpose of each cookie and its legal basis under the GDPR are explained in the following descriptions of specific data processing activities.

You have several options to prevent the acceptance of cookies on your device:

• Consent Manager: When visiting one of our websites, you can decide through our consent manager which cookies to allow or reject. In some cases, you can only opt for general acceptance or rejection of all cookies or groups of cookies.
• Browser Settings: You can configure your browser to never accept cookies. However, this may result in the loss of certain functionalities that rely on cookies, even those that do not require consent.
• Private Mode: You can access websites in your browser’s private mode. This mode blocks the storage of cookies in your browser or automatically deletes all cookies at the end of the session.
• Advanced Settings: Some browsers or browser plug-ins allow you to set more specific preferences regarding which cookies to accept by default and which to block.

Specific Data Processing Activities Kopiert!

Hosting of the openCode Platform Kopiert!

Description
For the openCode platform and its components to be available on your browser, the web server must collect technical data about your device, browser, and internet connection. The so-called "weblog" includes data that you inevitably leave behind on any website you visit. The primary focus is your IP address, which is used to send the requested data to your browser.

The openCode pages store a cookie in your browser’s storage containing the country code for the selected language version. This cookie is technically essential for the platform’s operation and does not require consent under § 25 TDDDG.

Data Categories

• IP address used to access openCode
• Date and time of access
• Objects accessed on our website
• Browser type and version
• Operating system type and version

Data Recipients (including potential third-country transfers)
Our hosting provider, bound by a data processing agreement. No third-country transfers occur. In cases of attacks on openCode, data may be shared with forensic experts and law enforcement authorities engaged by us.

Purpose and Legal Basis
The purpose of data processing is to provide the openCode platform and its components as a suite of cloud-based applications. An additional purpose is the investigation of unlawful access to our websites (e.g., hacking attempts).

The legal basis is a legitimate interest, as operating a website would be impossible without capturing the weblog. In cases of attacks on our website, we also have a legitimate interest in providing investigators with evidence of how the attack occurred.

Retention Period: 90 days

Personal User Account Kopiert!

Description
To use certain sections of the openCode platform, you need a user account managed through the portal at https://keycloak.opencode.de/.

The Keycloak application creates a set of entries in your browser's cookie storage. These cookies are all technically essential for the platform’s operation and do not require consent under § 25 TDDDG.

Data Categories

• Personal information (username, email address, first and last name, language preference)
• Login security (password, two-factor authentication, passkey)
• Registered devices (operating system and version, browser and version, IP address, last login time, session expiry, last access)

Data Recipients (including potential third-country transfers)
Our hosting provider, bound by a data processing agreement. No third-country transfers occur.

In cases of attacks on openCode, data may be shared with forensic experts and law enforcement authorities engaged by us.

Purpose and Legal Basis
Operating your user account is necessary to fulfill our corresponding Terms of Use. The legal basis is the fulfillment of our contractual obligations toward you.

In cases of attacks on openCode, where specific indications suggest that such attacks are linked to your user account, the investigation is based on our legitimate interest, as we are not required to tolerate security breaches.

Retention Period: Your user account remains active until you or we terminate the contractual relationship. We delete your account and all associated data in accordance with the terms outlined in the Terms of Use.

Your Publications on openCode Kopiert!

Description
openCode is a platform where users can actively contribute to the development and review of software via their user accounts. The platform is committed to transparency. Accordingly, all types of your publications will be attributed to your name.

Data Categories
Name or username and associated publications.

Data Recipients (including potential third-country transfers)
Please note that openCode is a public platform, and your publications are automatically made public.

Regarding data sharing under the GDPR: Our hosting provider, bound by a data processing agreement to ensure data protection. No third-country transfers occur.

In cases of attacks on or via openCode, data may be shared with forensic experts and law enforcement authorities engaged by us.

Purpose and Legal Basis
The purpose of publishing names is to ensure transparency in contributions to collaborative software development.

Another purpose is conducting investigations in cases of unlawful use of our platform (e.g., the dissemination of malicious code).

The legal basis is the fulfillment of the contract, as the publication of contributions is directly related to the platform's intended use, as outlined in the Terms of Use (specifically Section 6) and the Code of Conduct.

In the specific case of an attack on our website, we have a legitimate interest in providing investigators with evidence of how the attack occurred.

Retention Period
The association of a publication with your identity ends upon the deletion of your user account. Your publications will remain but will be attributed to an anonymous profile. In the case of investigations related to an attack, we store data until the conclusion of all subsequent proceedings.

Analysis of User Behavior (Matomo) Kopiert!

Description
To continuously improve the openCode platform, we analyze its usage through anonymized reports. Our self-hosted web analytics tool, based on the open-source software Matomo, generates statistical reports on activities within openCode modules and the technical specifications of the devices used to access the platform.

To minimize personal identification, the analytics tool is configured to avoid storing IP addresses in their original form. Usage data is not linked to your user account, email address, or name and is not shared with third parties.

However, Matomo is configured to store cookies in your browser to associate your activities on our website with the same user or visit. This allows us to determine the percentage of returning visitors or trace user paths across our websites. The cookie does not reveal your identity. The cookie contains a pseudonymous ID for your browser.

Before setting the cookie, we request your consent in compliance with § 25 TDDDG.

Matomo also recognizes browsers via their digital fingerprints. For this purpose, no data, such as the cookie ID, is stored on your device. The fingerprint is derived from a combination of technical parameters from your browser and device. Fingerprints are assigned a random value and deleted after 24 hours, making it impossible to track your browser beyond this period. After 24 hours, your device appears as a new, unknown visitor in our statistics.

Data Categories

• Truncated IP address used to access the internet
• Location or country and internet service provider associated with the IP address
• Date and time of access
• Objects on our website accessed (clicked) via the browser
• Browser type and version
• Operating system type and version
• Websites visited immediately before and after
• Matomo ID stored in the cookie
• Digital fingerprint based on general technical parameters of the browser-device combination, supplemented with a random value

Data Recipients (including potential third-country transfers)
None.

Purpose and Legal Basis
The statistical analysis of usage data serves the ongoing improvement of openCode

The legal basis is a legitimate interest, as personal identification is minimized (e.g., non-storage of IP addresses and limiting digital fingerprints to 24 hours), and the data is not combined with other datasets, shared with third parties, or used for other purposes.

The storage of Matomo cookies requires your consent under § 25 TDDDG, regardless of the legitimate interest under GDPR, as usage analysis is not technically essential for providing the platform.

Retention Period
No personal data is stored in usage reports, as the analytics tool only saves statistical data in anonymized form. Digital fingerprints are deleted after 24 hours. Cookies containing Matomo IDs expire automatically after 14 days.

Other Data Processing by ZenDiS Kopiert!

This privacy notice applies to the use of the openCode platform. For all other types of data processing by ZenDiS, such as email communication or applications submitted during recruitment, please refer to the general ZenDiS privacy policy: https://www.zendis.de/datenschutzerklaerung.