DATA PROTECTION STATEMENT

Thank you for your interest in the ING Night Marathon Luxembourg. Data protection is of particular importance to step by step S.A. In most cases, use of the step by step S.A. website is possible without having to provide any personal data. However, if a person wishes to use our company’s special services via our website, personal data must be processed.

The processing of personal data, such as the name, date of birth, address, email address or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in accordance with the data protection regulations applicable to step by step S.A. The purpose of this data protection statement is to inform the public about the type, scope and purpose of the personal data we collect, use and process. Furthermore, this declaration informs data subjects of their rights when it comes to collection of their personal data.

As the entity responsible for processing data, step by step S.A. has taken numerous technical and organizational measures to ensure that the personal data processed via this website is protected as thoroughly as possible. Nevertheless, online data transmissions are subject to security breaches, making it impossible to guarantee absolute data protection.

1. Definitions


The data protection statement of step by step S.A. is based on the terminology used by the European directive and regulation authority when the General Data Protection Regulation (GDPR) was issued. Our data protection statement is designed to be easy to read and understand for both the public and our customers and business partners. To make sure this is truly the case, we would like to begin by explaining the terms used.

This data protection statement makes use of the following terms, among others:

a) Personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (hereafter the ‘data subject’). An identifiable person is any natural person who can be identified directly or indirectly, particularly by an identifying element such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

b) Data subject
A ‘data subject’ is any identified or identifiable natural person whose personal data are processed by the controller.

c) Processing
‘Processing’ means any operation or series of operations in relation to personal data carried out with or without the aid of automated procedures, such as the collection, recording, organisation, sorting, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, erasure or destruction.

d) Restriction of processing
‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.

e) Profiling
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymization
‘Pseudonymisation’ means the processing of personal data in such a manner that the data can no longer be assigned to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

g) Controller
The ‘controller’ means the natural or legal person, public authority, institution or other body that, either alone or jointly with others, determines the purposes and means of processing personal data.

h) Processor
The ‘processor’ means a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

i) Recipient
The ‘recipient’ means a natural or legal person, authority, institution or other body to which personal data is disclosed, regardless of whether it is a third party or not.

j) Third party
A ‘third party’ means a natural or legal person, authority, institution or other body other than the data subject, processor, and persons authorised to process the personal data under the direct authority of the controller or processor.

k) Consent
‘Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.


2. Name and address of the controller


The controller responsible within the meaning of the General Data Protection Regulation, other data protection laws in force in EU Member States, and other provisions related to data protection is:

step by step S.A.
1, rue du Stade
L-2547 Luxembourg

Tel.: +352 26 68 77 01

Email: info@ing-night-marathon.lu 
Website: www.ing-night-marathon.lu 

3. Name and address of the data protection officer

The data protection officer responsible for data processing is:

Alice Patas

step by step S.A.
1, rue du Stade
L-2547 Luxembourg

Tel.: +352 26 68 77 01

Email: info@ing-night-marathon.lu
Website: www.ing-night-marathon.lu 

Any data subject can contact our data protection officer directly at any time with questions or suggestions regarding data protection.

4. Cookies


The website of the ING Night Marathon Luxembourg uses cookies. Cookies are text files, which are stored on an IT system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called ‘cookie ID’. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the servers and webpages visited to distinguish the data subject’s individual browser from other Internet browsers that contain other cookies. A particular Internet browser can be recognized and identified by its unique cookie ID.

The use of cookies enables step by step S.A. to provide users of its website with more user-friendly services that would not be possible without cookies.

The cookie allows us to optimize the information and offers on our website for the user. As previously mentioned, cookies enable us to recognize our website users. The purpose of this recognition is to make it easier for users to use our website. For example, the website users who use cookies do not have to re-enter their access data each time they visit the website because this is taken over by the website and the cookie stored on the user's IT system. Another example is a shopping basket cookie in the online shop. The cookie allows the online shop to remember the items a customer has placed in the virtual shopping basket.

The data subject can prevent our website from using cookies at any time by using a relevant setting in the Internet browser, thereby permanently objecting to the placement of cookies. Furthermore, cookies that have already been placed can be deleted at any time via the Internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates cookies in his/her the Internet browser, some of our website functions may not be fully usable.

5. Collection of general data and information


The ING Night Marathon Luxembourg website collects a series of general data and information every time a person accesses the website. This general data and information is stored in the server’s log files. We record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (known as the ‘referrer’), (4) the sub-websites accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service providers of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, step by step S.A. does not draw any conclusions about the data subject concerned. Rather, this information is required to (1) correctly deliver the contents of our website, (2) optimize our website’s contents and advertising, (3) ensure the permanent functionality of our IT systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. Therefore, this anonymously collected data and information is used by step by step S.A. for statistical purposes, and also with the aim of improving data protection and data security in our company so that we can ultimately ensure an optimum level of protection for any personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by the data subject.

6. Registration on our website


The data subject has the option of registering on the ING Night Marathon Luxembourg’s website by providing personal data. The personal data transferred to the controller is determined by the respective input mask used for registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller and for the data subject's own purposes. The controller may arrange for the data to be transferred to one or more processors, who shall also use the personal data exclusively for internal use attributable to the controller.

When a user registers on the ING Night Marathon Luxembourg website, his/her IP address assigned by the Internet Service Provider (ISP) is stored along with the date and time of registration. The idea behind storing this data is that this is the only way to prevent misuse of our services and, if necessary, to enable us to investigate any criminal offences committed. In this respect, the storage of this data is necessary to protect the controller. This data will not be passed on to third parties unless required to do so by law or for the purpose of criminal prosecution.

When the data subject registers and voluntarily agrees to provide his/her personal data, step by step S.A is able provide the data subject with content or services which, due to the nature of the case, can only be offered to registered users. Registered users are free to modify the personal data given upon registration at any time or to delete it completely from the controller’s database.

At any time, step by step S.A. will provide the data subject with information upon request about which of his/her personal is being stored. Furthermore, step by step S.A. agrees to correct or erase the data subject’s personal data at his/her request or notice, insofar as this does not conflict with statutory retention requirements.

7. Contact via the website


Due to legal regulations, the website of the ING Night Marathon Luxembourg contains information that enables quick electronic contact with our company as well as direct communication with us, including a general email address. If a data subject contacts us via email or a contact form, the personal data transmitted by the data subject will be automatically stored for the purpose of processing or contacting the data subject. This personal data will not be disclosed to third parties.

8. Routine erasure of personal data


The controller will only process and store the data subject’s personal data for the period necessary to achieve the purpose of the storage.

If there is no longer any reason to store the personal data, it will be routinely blocked or deleted in accordance with the statutory provisions.

9. Rights of the data subject


a) Right to confirmation
Every data subject shall have the right granted by EU regulations and directives to require the controller to confirm whether personal data concerning him/her is being processed. If a data subject wishes to exercise this right of confirmation, he/she may contact the controller or relevant employee at any time.

b) Right to information
At any time, any data subject whose personal data is being processed shall have the right, granted by EU regulations and directives, to obtain information from the controller free of charge on the personal data being stored about him/her and a copy of that information. Furthermore, EU regulations and directives provide that the data subject be given the following information:

  • the purposes of the processing
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, in particular recipients in third countries or international organizations
  • if possible, the planned duration for which the personal data will be stored or, if not possible, the criteria for determining that duration
  • the existence of a right to rectification or erasure of the personal data concerning him/her or of a restriction to the controller’s processing of said data or of a right to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • if the personal data is not collected from the data subject: All available information about the origin of the data
  • the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) of the GDPR and—at least in these cases—meaningful information on the logic involved, and the scope and envisaged consequences of such processing for the data subject


If a data subject wishes to exercise this right to information, he/she may contact step by step S.A. at any time.

c) Right to rectification
Any person affected by the processing of personal data has the right granted by EU regulations and directives to demand the immediate rectification of inaccurate personal data concerning him/her. Furthermore, taking into account the purposes of the processing, the data subject has the right to demand the completion of incomplete personal data—including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, he/she can do so at any time by contacting step by step S.A.

d) Right to erasure (‘right to be forgotten’)
Any person affected by the processing of personal data has the right granted by EU regulations and directives to require the controller to delete his/her personal data without delay, if one of the following reasons applies and if processing is not required:

  • The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
  • The data subject withdraws his/her consent on which the processing was based in accordance with Article 6 (1)(a) of the GDPR or Article 9 (2)(a) of the GDPR, and there is no other legal basis for the processing.
  • The data subject objects to the processing in accordance with Art. 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to processing according to Art. 21(2) of the GDPR.
  • The personal data have been unlawfully processed.
  • The erasure of personal data is necessary to fulfil a legal obligation under EU or national law to which the controller is subject.
  • The personal data were collected in relation to information company services offered pursuant to Art. 8(1) of the GDPR.


If one of the above reasons applies and a data subject would like to request erasure of any personal data that has been stored by step by step S.A., he/she may do so at any time by contacting step by step S.A. In this case, the request for erasure will be fulfilled immediately.

If any personal data were made public by step by step S.A., and if our company is responsible for the deletion of personal data according to Art. 17(1) of the GDPR, then step by step S.A., taking into account available technology and reasonable implementation costs, shall take reasonable steps, including technical measures, to inform all data controllers responsible for processing the personal data that have been made public that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.

e) Right to restriction of processing
Any person affected by the processing of personal data has the right granted by EU regulations and directives to require the controller to restrict the processing of his/her personal data under any of the following conditions:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  • The data subject has objected to processing pursuant to Art. 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.


If a data subject would like to request erasure of any personal data that has been stored by step by step S.A. under any of the above-stated conditions, he/she may do so at any time by contacting step by step S.A. The step by step S.A. employee will make sure the data processing is restricted.

f)     Right to data portability

Any person affected by the processing of personal data has the right granted by EU regulations and directives to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format. He/she also has the right to transmit these data to another controller without hindrance from the controller to whom the personal data was given, provided that the processing is based on the consent pursuant to Article 6 (1)(a) of the GDPR or Article 9 (1)(b) 2(a) of the GDPR or on a contract pursuant to Article 6 (1)(b) of the GDPR, and the processing is carried out by automated means, unless the processing is necessary for the performance of a task of public interest or in the exercise of public authority assigned to the controller.

Furthermore, in exercising his/her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have his/her personal data transmitted directly from one controller to another, as long as this is technically feasible and does not affect the rights and freedoms of others.

To exercise his/her right to data portability, the data subject may contact step by step S.A. at any time.

g)    Right to object
Any person affected by the processing of personal data has the right granted by EU regulations and directives to object to processing of personal data concerning him or her at any time, on grounds relating to his/her particular situation, which is based on point Article 6 (1) of the GDPR. This applies for profiling based on those provisions as well.

In the event of an objection, step by step S.A will cease to process personal data, unless we can establish compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the data subject, or the processing is necessary for asserting, exercising or defending legal claims.

If step by step S.A. processes personal data in order to operate direct mail, the data subject has the right to object at any time to the processing of his/her personal data for the purposes of such advertising. This also applies to the profiling, as far as it is associated with direct mail. If the data subject objects to step by step S.A. using his/her personal data for direct marketing purposes, step by step S.A will cease to do so.

In addition, the data subject has the right, for reasons based on his/her particular situation, to object to the processing of personal data relating to him/her by the ING Night Marathon Luxembourg for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) of the GDPR, unless such processing is necessary to fulfil a task of public interest.

To exercise his/her right to objection, the data subject may contact step by step S.A. at any time.

h) Automated individual decision-making, including profiling

Any person affected by the processing of personal data has the right granted by EU regulations and directives to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her; unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.

If the decision (1) is required for the conclusion or performance of a contract between the data subject and the controller or (2) it is with the express consent of the data subject, step by step S.A. shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his/her own position and to contest the decision.

If a data subject wishes to exercise this right to not be subject to automated decision-making, he/she may contact the controller or relevant employee at any time.

i) Right to revoke a data protection consent
Any person affected by the processing of personal data has the right granted by EU regulations and directives to revoke consent to the processing of personal data at any time.

If a data subject wishes to exercise this right to revoke consent, he/she may contact the controller or relevant employee at any time.

10. Data protection in applications and in the application process


step by step S.A. collects and processes the personal data of applicants as part of the application process. The processing can also be done electronically. This is particularly the case if an applicant submits relevant application documents to the controller using electronic means, for example via email or a web form available on the website. If the controller concludes a contract of employment with an applicant, the data transmitted will be stored for employment relationship purposes in accordance with the law. If no employment contract is concluded between the candidate and the controller, the application documents will be automatically deleted within two months of the announcement of the rejection decision, unless deletion precludes other legitimate interests of the controller. In this sense, other legitimate interests include, for example, a burden of proof in an Equal Treatment Act lawsuit.

11. Privacy policy on the use of Facebook


step by step S.A. has installed Facebook plug-ins on its website. Facebook is a social network.

A social network is an Internet-based social meeting place, an online community that allows users to communicate with each other and interact in a virtual space. A social network can serve as a platform to exchange views and experiences and allows the Internet community to provide personal or business information. Facebook allows social network users to create private profiles, upload photos and socialize via friend requests.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the US or Canada, those responsible for the processing of his/her personal data are Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If a Facebook component (i.e. Facebook plug-in) has been installed on the controller’s website, then each time one of the website’s pages is visited, the data subject’s Internet browser will automatically trigger, via the Facebook plug-in, a representation of said plug-in to download. An overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/?locale=en_US . As part of this technical process, Facebook receives information about which specific subpages of our website the data subject visits.

If the data subject is simultaneously logged into Facebook while visiting our website, Facebook recognizes which specific subpages of our website the data subject visits. This recognition occurs every time he/she visits our website and during the entire duration of his/her stay on our website. This information is collected via the Facebook plug-in and assigned by Facebook to the data subject’s Facebook account. If the data subject activates one of the Facebook buttons integrated on our website, for example the ‘Like’ button, or if the data subject leaves a comment, Facebook assigns this information to the data subject’s personal Facebook account and saves this personal data.

If the data subject is logged in to Facebook when accessing our website, Facebook will always be notified via the Facebook plug-in that the data subject has visited our website; this happens regardless whether the person clicks on the Facebook plug-in or not. If the data subject does not wish for this information to be transferred to Facebook, he/she can prevent the transfer by logging out of his/her Facebook account before visiting our website.

Facebook’s data policy, which is available at https://www.facebook.com/full_data_use_policy, provides information on the collection, processing and use of personal data by Facebook. It also explains which options Facebook offers to protect the data subject’s privacy. In addition, there are various applications available to suppress data transmission to Facebook. The data subject is free to make use of such applications to suppress data transmission to Facebook.

12. Privacy notice for using the Facebook Custom Audience Pixel


This website uses Custom Audiences from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. For this purpose, so-called ‘Facebook pixels’ are installed on our website. These pixels anonymously mark our website’s visitors. No personal information is collected from visitors to our website. If you are logged in to Facebook at a later date, Facebook can recognize the previous visit to our pages and use the information obtained to display Facebook Ads. The Website Custom Audiences product uses a Facebook cookie. The website operator and Facebook are responsible for collection and processing. Further information on the purpose and extent of the data collection and the further processing and use of data by Facebook, as well as the setting options for the protection of privacy can be found in Facebook’s privacy policy, which can be found at https://www.facebook.com/ads/website_custom_audiences and https://www.facebook.com/privacy/explanation

Objection

If a visitor to our site wishes to object to the use of Facebook Website Custom Audiences, he/she may do so at www.facebook.com/ads/website_custom_audiences.

13. Privacy policy on the use of Google Analytics (with anonymization feature)


The controller of this website has installed Google Analytics (with anonymization function). Google Analytics is a web analytics service. Web analytics involves the collection, analysis and evaluation of data about the behaviour of website visitors. Web analytics services collect data on topics such as the website via which a data subject has come to a website (so-called ‘referrer’), which subpages of the website a data subject accesses, and how often and for how long a subpage was viewed. Web analytics are primarily used to optimize a website and provide a cost-benefit analysis for online advertising purposes.

The operating company of Google Analytics is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The controller uses the "_gat._anonymizeIp” object for Google Analytics. Google uses this object to shorten ad anonymise the data subject’s IP if he/she is accessing our website from an EU member state or from any other state party to the agreement on the European Economic Area.

The purpose of the Google Analytics feature is to analyse visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile online reports showing activity on our websites, and to provide other services related to the use of our website.

Google Analytics places a cookie on the data subject’s browser. For more information about what cookies are, please see above. Via this cookie, Google is able to analyse how our website is used. If Google Analytics has been installed on the controller’s website, then each time one of the website’s pages is visited, the data subject’s Internet browser will be automatically triggered by Google Analytics to submit data to Google for online analytics purposes. As part of this technical process, Google will be aware of certain personal data, such as the data subject’s IP address. This allows Google to, among other things, track the visitor’s origin and clicks, subsequently enabling commission settlements.

The cookie stores personal information, such as access time, the location from which access was made, and the frequency of site visits by the data subject. Upon each visit to our website, personal information, including the data subject’s IP address, is transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer such personal data collected through this technical process to third parties.

As explained above, the data subject can prevent the placement of cookies through our website at any time by installing a relevant setting on his/her Internet browser, thereby permanently objecting to the placement of cookies. Such a setting would also prevent Google from placing a cookie on the data subject’s IT system. In addition, a cookie already placed by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to and preventing the collection of data by Google Analytics for the use of this website and the processing of this data by Google. To do so, the data subject should download and install a browser add-on at https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about website visits may be transmitted to Google Analytics. The installation of the browser add-on is viewed as an objection by Google. If the data subject's IT system is later deleted, formatted or reinstalled, the data subject must re-install the browser add-on to disable Google Analytics. If the browser add-on has been uninstalled or disabled by the data subject or any other person within his/her sphere of control, it can be reinstalled or reactivated.

For more information about Google's privacy policy, please see https://policies.google.com/privacy?hl=en and https://www.google.com/analytics/terms/us.html .
Google Analytics is explained in more detail at https://www.google.com/intl/en_uk/analytics/#?modal_active=none

14. Privacy policy on the use of Google Remarketing


step by step S.A. has installed Google Remarketing on its website. Google Remarketing is a feature of Google AdWords that allows a business to show advertisements to internet users that have previously visited the company's website. By integrating Google Remarketing, a company can create user-friendly advertising, thereby allowing internet users to see ads based on their interests.

The Google Remarketing Services company is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing allows us to display ads through the Google Network or on other websites that are tailored to the individual needs and interests of Internet users.
Google Remarketing places a cookie on the data subject’s IT system. The term ‘cookies’ has already been explained in section 4 of this privacy policy. The cookie allows Google to recognize the visitor to our website, and to see if he/she subsequently visits other websites that are also members of the Google ad network. Each time a user visits a website on which Google Remarketing's service has been integrated, the user’s Internet browser automatically identifies with Google. As part of this technical process, Google receives information about personal data, such as the user’s the IP address or browsing behaviour, which Google then uses to display ads that are relevant to the user’s interests, among other things.
The cookie is used to store personal information, such as the websites visited by the data subject. Upon each visit to our website, personal information, including the data subject’s IP address, is transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer such personal data collected through this technical process to third parties.

As explained above, the data subject can prevent the placement of cookies through our website at any time by installing a relevant setting on his/her Internet browser, thereby permanently objecting to the placement of cookies. Such a setting would also prevent Google from placing a cookie on the data subject’s IT system. In addition, a cookie already placed by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to Google's interest-based advertising. To do so, the data subject should visit www.google.com/settings/adsfrom each of their Internet browsers and set the desired settings there.

Additional information and Google's privacy policy can be found at https: //www.google.com/intl/en/policies/privacy/

15. Privacy policy on the use of Google AdWords


step by step S.A. has installed Google AdWords on its website. Google AdWords is an Internet advertising service that allows advertisers to run both Google and Google Network search engine results. Google AdWords allows an advertiser to pre-defined keywords that will display an ad on Google's search engine results only when the search engine retrieves a search result related to one of those keywords. In the Google Network, ads are distributed on topical web pages using an automated algorithm and according to pre-defined keywords.

The operating company for the services of Google AdWords is Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to promote our website by displaying interest-based advertising on third-party websites, in Google search engine results, and by displaying advertisements on our own website.

If a data subject comes to our website via a Google ad, a so-called ‘conversion cookie’ will be stored on Google's information technology system. The term "cookies" has already been explained in section 4 of this privacy policy. A conversion cookie expires after thirty days and is not used to identify the data subject. If the cookie has not yet expired, the cookie will trace whether certain sub-pages, such as the shopping cart in the online shop, were accessed on our website. The conversion cookie allows both us and Google to understand whether a data subject who came to our website via an AdWords ad generated revenue, i.e. completed or cancelled a purchase.

The data and information collected through the use of conversion cookies are used by Google to create visitor statistics for our website. We then use these visitor statistics to determine the total number of users who have been sent to us through AdWords ads, in order to determine the success or failure of each AdWords ad and to optimize our AdWords ads for the future. Neither our company nor any other Google AdWords advertiser receives any information from Google that could identify the data subject.

The conversion cookie stores personal information, such as the web pages visited by the data subject. Upon each visit to our website, personal information, including the data subject’s IP address, is transferred to Google in the United States of America. This personal information is stored by Google in the United States of America. Google may transfer the personal data collected through this technical process to third parties.

As explained above, the data subject can prevent the placement of cookies through our website at any time by installing a relevant setting on his/her Internet browser, thereby permanently objecting to the placement of cookies. Such a setting would also prevent Google from setting a conversion cookie on the data subject’s IT system. In addition, a cookie already set by Google AdWords can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to Google's interest-based advertising. To do so, the data subject should access the link www.google.com/settings/ads from each of the Internet browsers he/she uses and make the desired settings there.

Additional information and Google's privacy policy can be found at https://www.google.com/intl/en/policies/privacy/ .

16. Privacy policy on the use of Instagram


step by step S.A. has installed Instagram plug-ins on its website. Instagram is a service that qualifies as an audio-visual platform, allowing users to share photos and videos, and also disseminate such data to other social networks.

Instagram's operating company is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.

If an Instagram plug-in (Insta button) has been installed on the controller’s website, then each time one of the website’s pages is visited, the data subject’s Internet browser will automatically trigger, via the Instagram plug-in, a representation of said plug-in to download. As part of this technical process, Instagram receives information about which specific subpages of our website the data subject visits.

If the data subject is simultaneously logged into Instagram while visiting our website, Instagram recognizes which specific subpages of our website the data subject visits. This recognition occurs every time he/she visits our website and during the entire duration of his/her stay on our website. This information is collected via the Instagram plug-in and assigned via Instagram to the data subject’s Instagram account. If the data subject activates one of the Instagram buttons on our website, the data and information transferred with it are assigned to the data subject’s personal Instagram account and saved and processed by Instagram.

If the data subject is simultaneously logged in to Instagram while accessing our website, Instagram will always be notified via the Instagram plug-in that the data subject has visited our website; this happens regardless whether the person clicks on the Instagram plug-in or not. If the data subject does not wish for this information to be transferred to Instagram, he/she can prevent the transfer by logging out of his/her Instagram account before visiting our website.

Additional information and Instagram's privacy policy can be found at https://help.instagram.com/155833707900388 and www.instagram.com/about/legal/privacy.

17. Privacy policy on the use of Twitter


step by step S.A. has installed Twitter plug-ins on its website. Twitter is a multilingual, publicly accessible microblogging service that allows users to publish and distribute so-called ‘tweets’. These short messages are available to anyone, including those not registered with Twitter.  The tweets are also visible to the respective user’s so-called ‘followers’. Followers are other Twitter users who follow a user's tweets. Twitter also allows you to address a broad audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

If a Twitter plug-in (Twitter button) has been installed on the controller’s website, then each time one of the website’s pages is visited, the data subject’s Internet browser will automatically trigger, via the Twitter plug-in, a representation of said plug-in to download. Further information on Twitter buttons is available at https://about.twitter.com/en/resources/buttons . As part of this technical process, Twitter receives information about which specific subpages of our website the data subject visits. The purpose of the Twitter plug-in on our website is to allow our users to redistribute the website’s contents, to promote this website in the digital world and to increase our visitor numbers.

If the data subject is simultaneously logged into Twitter while visiting our website, Twitter recognizes which specific subpages of our website the data subject visits. This recognition occurs every time he/she visits our website and during the entire duration of his/her stay on our website. This information is collected through the Twitter plug-in and assigned via Twitter to the data subject's Twitter account. If the data subject activates one of the Twitter buttons on our website, the data and information transferred with it are assigned to the data subject’s personal Twitter account and saved and processed by Twitter.

If the data subject is simultaneously logged in to Twitter while accessing our website, Twitter will always be notified via the Twitter plug-in that the data subject has visited our website; this happens regardless whether the person clicks on the Twitter plug-in or not. If the data subject does not wish for this information to be transferred to Twitter, he/she can prevent the transfer by logging out of his/her Twitter account before visiting our website.

The current privacy policy of Twitter is available at https://twitter.com/de/privacy

18. Privacy policy on the use of YouTube


step by step S.A. has installed YouTube plug-ins on its website. YouTube is an internet video portal that allows users to publish or watch video clips for free and other users to watch, rate and comment on those clips for free. YouTube allows users to publish all types of videos, including complete film and television broadcasts, music videos, trailers or user-made videos.

YouTube's operating company is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA.

If a YouTube plug-in (YouTube button) has been installed on the controller’s website, then each time one of the website’s pages is visited, the data subject’s Internet browser will automatically trigger, via the YouTube plug-in, a representation of said plug-in to download. More information about YouTube can be found at https://www.youtube.com/about/. As part of this technical process, YouTube and Google receive information about which specific subpages of our website the data subject visits.

If the data subject is simultaneously logged into YouTube while visiting our website, YouTube recognizes which specific subpages of our website the data subject visits. This recognition occurs every time he/she visits our website. This information is collected by YouTube and Google and associated with the data subject’s YouTube account.

If the data subject is simultaneously logged in to YouTube while accessing our website, YouTube and Google will always be notified via the YouTube plug-in that the data subject has visited our website; this happens regardless whether the person clicks on the YouTube plug-in or not. If the data subject does not wish for this information to be transferred to YouTube, he/she can prevent the transfer by logging out of his/her YouTube account before visiting our website.

YouTube's privacy policy, available at https://www.google.com/intl/en/policies/privacy/ , provides more information about the collection, processing, and use of personal information by YouTube and Google.

19. Legal basis of processing


Art. 6 (1)(a) of the GDPR provides us with a legal basis for processing operations in which we obtain consent for a particular processing purpose. If the processing of personal data is necessary to fulfil a contract of which the data subject is a party, as is the case in processing operations necessary to register for the ING Night Marathon Luxembourg, for example, or to provide any other service or consideration, the lawfulness of this processing is based on Art. 6 (1)(b) of the GDPR. The same applies to processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries regarding our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as the fulfilment of tax obligations, the processing is based on Art. 6 (1)(c) of the GDPR. In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our premises were injured and his/her name, age, health insurance or other vital information would be passed on to a doctor, hospital or other third party. Such processing would be based on Art. 6 (1)(d) of the GDPR. Finally, certain processing operations find their legal basis in Art. 6 (1)(f) of the GDPR. If a processing operation is necessary to safeguard the legitimate interests of our company or a third party, but not covered by any of the legal bases above, the processing is considered lawful except in cases where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. According to European law, we are allowed to carry out such operations. In this respect, according to the second sentence of Recital 47 of the GDPR, a legitimate interest could be assumed if the data subject is a customer.

20. Legitimate interests for processing pursued by the controller or a third party


Based on Art. 6 (1)(f) of the GDPR, the processing of personal data is lawful for the purposes of the legitimate interests in conducting our business for the benefit of all our employees and our owners.

21. Duration of personal data storage


The respective statutory retention period determines the duration of personal data storage. Once the maximum retention period has been reached, the corresponding data will be routinely deleted if they are no longer required to fulfil the contract or to initiate a contract.

22. Legal or contractual provisions for the provision of personal data; Necessity for the conclusion of the contract; Obligation of the data subject to provide the personal data; Possible consequences of non-provision

 

To be clear, the provision of certain personal data is required by law (such as tax regulations) or may result from contractual arrangements (such as the contractor’s details). Occasionally, it may be necessary for a data subject to provide us with personal data to conclude a contract, and for this data to subsequently be processed by us. For example, the data subject is required to provide us with personal information when entering into a contract with our company. The data subject’s failure to provide his/her personal data would mean that the contract could not be concluded. Before providing his/her personal information, the data subject should contact one of our employees. Our employee will inform the data subject on a case-by-case basis as to whether the provision of the personal data is required by law or contract, whether the data is required for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of the non-provision of the personal data are.

avec le soutien de