Privacy Policy

1 Introduction

The protection of your personal data is a matter of important concern to the Körber-Stiftung. We observe all legal provisions dealing with data protection and data safety.
In the following you will find information on what personal data we collect when you access our Internet site at (“website”) and use the services and functions contained therein, and how we use these data for what purposes. In addition, we inform you about the legal bases for the processing of your data and, insofar as the data are processed to pursue our legitimate interests, about these legitimate interests.

2 Data controller

The data controller responsible for the processing of your data through the website is the Körber-Stiftung, Kehrwieder 12, 20457 Hamburg, Germany, tel. 040 / 80 81 92 0, (“Körber-Stiftung”, “we” or “us”).

3 References to laws in this Privacy Statement

On 25 May 2018, the European General Data Protection Regulation (“GDPR”) has entered into force, replacing the “Bundesdatenschutzgesetz”. For this reason we refer to the GDPR in this Privacy Statement. We thereby wish to provide the greatest possible transparency.

4 Contact with the competent data protection officer

You can reach our competent data protection officer at

5 Legal bases for data processing

In accordance with Art. 13 (1) lit. c) GDPR, we must also inform you about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing. In addition to consent to be given, two different legal bases allow the processing of data through our website:

In accordance with Art. 6 (1) sentence 1 lit. b GDPR (and currently in accordance with sec. 28 para. 1 sentence 1 no. 1 BDSG), data processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

In accordance with Art. 6 (1) sentence 1 lit. f GDPR (and currently in accordance with sec. 28 para. 1 sentence 1 no. 2 BDSG), data processing is also lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

We refer in the following to these two legal bases in connection with the data processing concerned in each case.

6 Accessing our website

We collect and store the IP address assigned to your computer in order to transmit to your computer the contents of our website retrieved by you (e.g. texts, pictures, articles as well as files made available for downloading, etc.). For the purpose of communicating with our website, your full IP address is processed and stored only for the duration of your visit to our website and is subsequently deleted automatically. The legal basis for this is Art. 6 (1) lit. b GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 1 BDSG).

In addition, we collect and process information regarding the use of the website, for example the browser type being used as well as the date and time of access to the website. We process these data to optimise our website and offers and for market analysis purposes. The legal basis is Art. 6 (1) lit. f GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 2 BDSG). Our legitimate interest in this data processing exists in that we have a need to make available a website with a needs-based design, optimised to suit the terminal devices being used.

To ensure the fault-free operation of our web server and to guarantee server security, your anonymised IP address will be stored by our server provider, Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, for the duration of 7 days. After the expiry of the 7-day period, the anonymised IP address is deleted automatically. The legal basis for this is Art. 6 (1) lit. f GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 2 BDSG).
We analyse the use of our website by analysing server logfiles. These statics are based on anonymised data.

7 Subscription to newsletters and other messages

On our website you can subscribe to our newsletter or other messages that we send by email regarding certain topics. For this, we store your name and your email address and use these data to send you by email the newsletter or, as the case may be, the messages desired by you. A prerequisite for the receipt of newsletters or other messages is your consent in accordance with Art. 6 (1) lit. a GDPR (or, as the case may be, in accordance with secs. 4a BDSG, 13 para. 2 TMG).

Your consent to receiving our newsletters or other messages by email is verified by us by means of the so-called double opt-in procedure. This means that we first ask, by email to the email address stated in the course of the subscription process, that you actively confirm your consent to receiving the newsletters or other messages, before we begin sending them. The information about the confirmation is used by us to document and, if need be, to prove your consent. You can at any time revoke your consent to the sending of newsletters or other messages and to the use of your personal data for those purposes, with effect for the future, without thereby incurring any costs other than the transmission costs in the amount of the basic tariffs. Any revocation of your consent will leave the lawfulness of processing on the basis of such consent unaffected.

8 Orders

On our website you can order books for payment as well as cost-free flyers. We are also planning to enable you to order brochures. The information provided by you when ordering books and brochures (e.g. your name, your address, your email address, personal remarks regarding the order as well as any payment data) is collected and used by us for your order in accordance with Art. 6 (1) lit. b GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 2 BDSG) to send you the books or the brochures in the manner requested by you. Please also note the information regarding the inclusion in our data processing programs (Section 14).

9 Interaction with social networks and services

On our website you can interact as described below with the following social networks and services operated by third parties: Facebook, Google Maps, Twitter, YouTube, Flickr, Instagram, Tumblr, Pinterest, FlippingBook, Issuu and Podigee. In the case of the networks Facebook and Twitter, the connection to the network is made only once you click on the proper link.

From that moment, data can be transmitted to the network concerned. The further services named above are used by us to incorporate content (such as videos and photos) into our website. As the contents are stored on the server of the provider concerned in each case, data can be transmitted to the provider concerned already from the moment in which you retrieve the contents from our website.

We have no influence on the data being collected or on the data processing operations, and we are neither responsible for this data processing nor the data controller within the meaning of the GDPR and of the BDSG. The full extent of the data collection, its legal basis, the purposes as well as the retention periods are also not known to us. Therefore the information provided here is not necessarily complete.

To our knowledge, the provider receives the information that you have accessed the subpage concerned on our website. In view of your visit to the website, your IP address, the date and time of the enquiry, the URL of the website from which the enquiry came, the language and version of your browser, your operating system and its interface, the cookie ID and your user name for the social network, if any, are transmitted. According to Facebook, that provider collects only an anonymised IP address in Germany.

The transmission of the data takes place to our knowledge regardless of whether you actually have an account with the provider or have logged in there. If you are logged in, your data will be attributed directly to your account by the provider. Providers may also use cookies on your computer to track you.

To our knowledge, the provider stores these data in user profiles used by the provider for the purposes of advertising, market research and/or the needs-based design of its website. Such an analysis is made (also for users who are not logged in) in particular to display needs-based advertising and to inform other users of the social network about your activities on our website. You have a right to object against the creation of such user profiles. If you wish to exercise this right to object, please contact the provider concerned.

Further information about the purpose and scope of data usage can be found in the various providers’ privacy statements. You will also find further information there regarding your rights in this respect and the proper settings to protect your privacy.
Addresses of the various providers and URL with their privacy statements:

10 Onlinemarketing

We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as “Content”) based on the potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedure in which the relevant user information for the display of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, communication partners and technical information such as the browser used, computer system used and information on usage times. If users have consented to the collection of their sideline data, these can also be processed.

The IP addresses of the users are also stored. However, we use provided IP masking procedures (i.e. pseudonymisation by shortening the IP address) to ensure the protection of the user’s by using a pseudonym. In general, within the framework of the online marketing process, no clear user data (such as e-mail addresses or names) is secured, but pseudonyms. This means that we, as well as the providers of online marketing procedures, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or similar memorizing procedures. These cookies can later, generally also on other websites that use the same online marketing technology, be read and analyzed for purposes of content display, as well as supplemented with other data and stored on the server of the online marketing technology provider.

Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users in the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g. by consenting as part of a registration process.

As a matter of principle, we only gain access to summarised information about the performance of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us. The conversion measurement is used alone for the performance analysis of our marketing activities.

Unless otherwise stated, we kindly ask you to consider that cookies used will be stored for a period of two years.

Information on legal basis: If we ask users for their consent (e.g. in the context of a so-called “cookie banner consent”), the legal basis for processing data for online marketing purposes is this consent. Otherwise, user data will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online services. In this context, we would also like to refer you to the information on the use of cookies in this privacy policy (see Section 11).

Facebook Pixel: With the help of the Facebook pixel, Facebook is on the one hand able to determine the visitors of our online services as a target group for the presentation of ads (so-called “Facebook ads”). Accordingly, we use Facebook pixels to display Facebook ads placed by us only to Facebook users and within the services of partners cooperating with Facebook (so-called “audience network”) who have shown an interest in our online services or who have certain characteristics (e.g. interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Facebook (so-called “custom audiences”). With the help of Facebook pixels, we also want to ensure that our Facebook ads correspond to the potential interest of users and do not appear annoying. The Facebook pixel also enables us to track the effectiveness of Facebook ads for statistical and market research purposes by showing whether users were referred to our website after clicking on a Facebook ad (known as “conversion tracking”).

Services and service providers being used:

  • Google Tag Manager: Google Tag Manager is a web tag management solution that allows us to manage website tags through a single interface (including Google Analytics and other Google marketing services in our online services). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of users’ personal data, reference is made to the information below regarding Google services. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy:; Privacy Shield (Safeguarding the level of data protection when processing data in the USA):

  • Google Analytics: Online marketing and web analytics; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy:; Privacy Shield (Safeguarding the level of data protection when processing data in the USA):; Opt-Out: Opt-Out-Plugin:, Settings for the Display of Advertisements:

  • Google Ads and Conversion Tracking: We use the Google “Ads” online marketing method to place ads on the Google advertising network (e.g., in search results, videos, websites, etc.) so that they are displayed to users who have an alleged interest in the ads. We also measure the conversion of the ads. However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. However, we ourselves do not receive any information that can be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy:; Privacy Shield (Safeguarding the level of data protection when processing data in the USA):

  • Google Remarketing: This website uses the functions of Google Analytics Remarketing. The provider of these solutions is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
    Google Remarketing analyzes your user patterns on our website (e.g., clicks on specific products), to allocate a certain advertising target groups to you and to subsequently display matching online offers to you when you visit other online offers (remarketing or retargeting).
    Moreover, it is possible to link the advertising target groups generated with Google Remarketing to device encompassing functions of Google. This makes it possible to display interest-based customized advertising messages, depending on your prior usage and browsing patterns on a device (e.g., cell phone) in a manner tailored to you as well as on any of your devices (e.g., tablet or PC).
    If you have a Google account, you have the option to object to personalized advertising under the following link:
    The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.
    For further information and the pertinent data protection regulations, please consult the Data Privacy Policies of Google at:

  • Facebook Pixel: Facebook-Pixel; Service provider:, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website:; Privacy Policy:; Privacy Shield (Safeguarding the level of data protection when processing data in the USA):; Opt-Out:

  • LinkedIn Insight Tag: This website uses the Insight tag from LinkedIn. This service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

    Data processing by LinkedIn Insight tag:

    We use the LinkedIn Insight tag to obtain information about visitors to our website. Once a website visitor is registered with LinkedIn, we can analyze the key occupational data (e.g., career level, company size, country, location, industry, job title) of our website visitors to help us better target our site to the relevant audience. We can also use LinkedIn Insight tags to measure whether visitors to our websites make a purchase or perform other actions (conversion measurement). Conversion measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn Insight Tag also features a retargeting function that allows us to display targeted advertising to visitors to our website outside of the website. According to LinkedIn, no identification of the advertising addressee takes place.

    LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser characteristics and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data will then be deleted within 180 days.

    The data collected by LinkedIn cannot be assigned by us as a website operator to specific individuals. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it for its own promotional activities. For details, please see LinkedIn’s privacy policy at

    Legal basis:

    If your approval (consent) has been obtained the use of the abovementioned service shall occur on the basis of Art. 6(1)(a) GDPR and § 25 TTDSG (German Telecommunications Act). Such consent may be revoked at any time. If your consent was not obtained, the use of the service will occur on the basis of Art. 6(1)(f) GDPR; the website operator has a legitimate interest in effective advertising promotions that include the utilization of social media.

    Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: and

    Objection to the use of LinkedIn Insight Tag:

    You can object to LinkedIn’s analysis of user behavior and targeted advertising at the following link:

    In addition, LinkedIn members can control the use of their personal information for promotional purposes in the account settings. To prevent LinkedIn from linking information collected on our site to your LinkedIn account, you must log out of your LinkedIn account before you visit our site.

11 Outbrain

We use the service of Outbrain UK Ltd, Outbrain UK Limited, 5 New Bridge Street, London, EC4V 6JA, England. This service allows us to point you to links within our website and to other websites that may be of interest to you. The content is automatically controlled by Outbrain.

The recommendations are based on your previous reading behaviour and relate mainly to the content you have already read. Outbrain stores a cookie on your end device for this purpose. Outbrain collects the device source, the browser type and the user’s IP address, the last octet of which is deleted for anonymisation purposes. Outbrain assigns a so-called Universally Unique Identifier (UUID), which can identify users by device when they visit a website on which the Outbrain widget is implemented. Outbrain creates user profiles in which user interactions (e.g. page views and clicks) of a browser or end device are aggregated in order to derive the preferences of the UUID.

Your data will be deleted after 13 months at the latest. Further information on the scope and storage period can be found in the privacy policy

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future by accessing the cookie settings and cancelling your consent there.

12 Cookies

When you visit our website, we place so-called “cookies”. A cookie is a file containing certain user information that we read when you return to our website. Our cookies contain series of numbers and letters as a means of identifying (ID) the accessing computer.

We use transient cookies. Transient cookies (temporary cookies) are automatically deleted when you close your browser. This more specifically includes session cookies. They store a so-called session ID, which allows several enquiries from your browser to be attributed to the joint session. This makes it possible to recognise your terminal device when you return to the website. Transient cookies are deleted when you log out or close the browser.

In addition, we also use persistent or permanent cookies. These cookies are stored in your browser and remain there even after you end the browsing session. The cookies connect to the website as soon as it is opened the next time, and they serve the purpose of improving our website offer for you. In particular, they enable us to recognise whether our offer appeals to users enough for them to return regularly. This makes it possible for us to tailor our offer even more precisely to suit our users’ needs.

These transient and persistent cookies are used by us only to assure the performance / availability of the service desired by the user in accordance with Art. 6 (1) lit. f GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 2 BDSG). Our legitimate interest in the data processing is to optimise the website settings for the terminal device used by you and to customise the user interfaces and, in view of the persistent cookies, to improve our offer for you.

You can configure the browser settings as you wish and, for example, refuse to accept certain cookies, e.g. third-party cookies (see there), or refuse all cookies. You can at any time delete cookies yourself in the security settings of your browser or deactivate the cookie function in your Internet browser. It is not absolutely necessary for the navigation and functioning of the website to accept cookies. But we would like to advise you that you may then not be able to fully use all functions of this website. This especially concerns event announcements and book orders. To be able to use this function, you must accept cookies. Instructions regarding the admission, rejection, inspection and deletion of cookies can be found through the help function of your Internet browser.

The stored information is stored separately from any further data that you may provide to us. In particular, the data on the cookies are not merged with any other personal data such as, for example, the registration data for a particular event.

Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your device or for the use of specific technologies, and to document the former in a data protection compliant manner. The party offering this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 München, Germany, website: (hereinafter referred to as “Usercentrics”).

Whenever you visit our website, the following personal data will be transferred to Usercentrics:

  • Your declaration(s) of consent or your revocation of your declaration(s) of consent
  • Your IP address
  • Information about your browser
  • Information about your device
  • The date and time you visited our website

Moreover, Usercentrics shall store a cookie in your browser to be able to allocate your declaration(s) of consent or any revocations of the former. The data that are recorded in this manner shall be stored until you ask us to eradicate them, delete the Usercentrics cookie or until the purpose for archiving the data no longer exists. This shall be without prejudice to any mandatory legal retention periods.

Usercentrics uses cookies to obtain the declarations of consent mandated by law. The legal basis for the use of specific technologies is Art. 6(1)© GDPR.

13 Third-party cookies

Some services used by us on our website, e.g. Infogram and Knightlab, use so-called third-party cookies for certain graphs.

Third-party cookies are cookies of third-party providers placed by other websites than the one you are currently visiting. These cookies are placed on our website, for example through the inclusion of services or display of pictures or other elements from third-party providers on our website.

As described above, you can change your browser settings so that the acceptance of third-party cookies will be refused.

14 Analysis of use

On our website, we analyse the use of our website for the purpose of optimising our website and market research in accordance with the following sections. The legal basis for this data processing is Sec. 15 para 3 German Telemedia Act (‘TMG’) resp. Art. 6 para 1 lit. f GDPR.

To this end, data for market research and optimisation purposes are collected and stored on this website. These data can be used to create pseudonymous user profiles. Cookies can be used to do this.

For these purposes, we also use the service Google Analytics. This is a service provided by Google Ireland Limited (“Google”), a company incorporated and operated under the laws of Ireland (registration number: 368047) with establishment at Gordon House, Barrow Street, Dublin 4, Ireland. In this process, three cookies are placed on your device (cf. section 11 above). The information generated by the cookies about your use of this website (including your abbreviated IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information on our behalf, to compile analyses of the activities on our website for us.

We store the data from Google Analytics for a period of 14 months. The maximum duration of the operation of the cookies is two years.

The IP address transmitted by your browser within the scope of Google Analytics will be shortened and not combined with other data at Google. You have the possibility to prevent the storage of cookies via the privacy settings of your browser. Further, you can prevent the collection of data generated by the cookie and related to your use of our website (including your IP address) by downloading and installing the browser plug-in available under the following link: However, we would like to indicate that in this case you might not be able to use all the functions of this website to their full extent.

We also use Hotjar by Hotjar Ltd (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe) in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
If you wish to be entirely excluded from any data storage by Hotjar Ltd when you visit our websites, please follow this link.
The privacy statement of Hotjar Ltd is available at:

15 Contact forms and inclusion in data processing programmes

We provide an email address on our website ( which you can use to contact us. The data provided by you for this (e.g. name, address, telephone number, email address, etc.) are used by us for the purposes of the contact on the basis of Art. 6 (1) lit. a GDPR (secs. 4a BDSG, 13 para. 2 TMG).

We also use forms for you to register for our events or to provide our services to journalists. The data provided by you on the forms as well as any such data received by us from you by telephone are used to confirm your registration or, as the case may be, to carry out the event or perform the services, also on the basis of Art. 6 (1) lit. a GDPR (secs. 4a BDSG, 13 para. 2 TMG). The same applies to such data obtained by us in the course of registrations by telephone.

Additionally we collect the data of visitors who register for one of our events in a customer management system. In the customer management system, we also collect the data of journalists and authors who contact us in other ways (e.g. by email and/or telephone or in discussions at events) or whose contact data are publicly available. Likewise, we collect data here of the participants in the History Contest of the Federal President (Geschichtswettbewerb des Bundespräsidenten). Moreover, in a data processing software for publishing houses, we collect the data of persons who order our publications. These data are stored in order to facilitate the management of our relations with our visitors, the participants in contests, and other interested parties. The legal basis for this data processing is Art. 6 (1) lit. f GDPR (or, as the case may be, sec. 28 para. 1 sentence 1 no. 2 BDSG).

16 Participation in online surveys

If you participate in one of our online surveys, your answers, your IP address and a randomly generated participant ID will be transmitted to and processed by Kantar, the research company we have engaged to conduct the survey. It is not necessary for you to provide any personal information, in particular your name, in order to participate. Kantar processes the information provided in the surveys on our behalf for social research purposes as part of the work of our foundation and then sends us so-called aggregated evaluations, i.e. purely statistical data without any personal reference. Kantar stores the data for up to one year after the survey has been completed. The legal basis for the processing of your data is your consent, Art. 6 par. 1 lit. a DSGVO.

17 Transmission of data

To perform our services, including the despatch of books, flyers and brochures, we use contractually bound sister companies as well as outside undertakings and external service providers such as shipping providers. For these purposes we pass on data that we collect and use in connection with your use of this website, e.g. address data, for example in order to allow the shipment of books.

Information collected and used by us in connection with your use of this website may therefore also be processed by third parties under certain conditions, but only insofar as that is necessary for the purposes set out in this Privacy Statement or insofar as the third party acts as a service provider bound by instructions or as a contract data processor.

The parties mentioned in this clause, for example the shipping providers, are carefully selected and regularly checked by us in order to make sure that your privacy will be protected. They may use the data exclusively for the purposes specified by us. They are bound contractually to use your data exclusively in accordance with our instructions and in compliance with the applicable data protection laws.

Your personal data are disclosed to others only for the purpose of making available to you the website and the services offered through it. The legal basis is Art. 6 (1) sentence 1 lit. b GDPR (sec. 28 para. 1 sentence 1 no. 1, 2 BDSG). Our legitimate interest in passing on the data is to make available to you the services offered on our website.

18 Data protection information for applicants

In the following, we inform you about personal data processing as part of the job application process for a position at Körber-Stiftung.

Data collection

In the course of your application, we will process your application data as listed below:

  • First name, last name
  • Telephone number (private or mobile)
  • E-mail address
  • Application documents (application letter, CV, references, certificates etc.)

The purpose of data collection and its legal basis

We process the data you have sent us in connection with your application in order to fill vacancies within our company. As a basic principle, your data will only be forwarded to the persons and departments responsible for the application process. Your application data will not be used for any other purpose or passed on to any other third parties.
Application data can be processed for statistical purposes (e.g. reporting). This does not allow any conclusions to be drawn about individual persons.
According to Section 26 of the new BDSG (German Federal Data Protection Act), processing personal data required in connection with a decision on the establishment of an employment relationship is permissible. Should the data be required for legal procedures after completion of the application process, data processing may be carried out in accordance with Article 6 of the GDPR (General Data Protection Regulation), in particular to safeguard legitimate interests pursuant to Article 6, Para. 1, Letter f of the GDPR. Our interest then lies, for example, in asserting or defending against claims.
Finally, we process your data for further application procedures if you have given us your consent to do so. In this case, the legal basis is Article 6, Para. 1, Sentence 1, Letter a of the GDPR.

Retention period of the job applicant’s data

Your application data will be deleted six months after the application process is complete. This does not apply if statutory provisions prevent deletion, or if further storage is necessary for the purpose of providing evidence, or you consented to a longer storage period.

Storage for future jobs

If you agree to your application data being stored beyond the current job vacancy, we will continue to store your application data for future vacancies. In this case, we will delete your data after 24 months.

Place of data processing

Your data will be processed in the Federal Republic of Germany and in a member state of the European Union (EU). We have concluded a contract (Data Processing Addendum) with our subcontractor AWS (Amazon Web Services), which ensures that data processing is carried out in a permissible manner.

Cookies on the job portal server

As part of the job applicant management function in HRworks, three essential cookies are set on the job portal server when the function is used.
The HrwJobApplicationmanagementSession cookie represents the session of the person currently on the job portal. This is necessary for operation, because the users of the session can be distinguished accordingly.
In addition, there are two AWS cookies (AWSALB and AWSALBCORS), that are required firstly to assign any information to the correct instance of the server. Secondly, they are necessary to upload the application documents so that this process can be guaranteed to run smoothly for the applicants.

19 Other usage of data

Your personal data will generally be processed or used in any further manner only insofar as that is allowed by a legal provision or you have consented to such data processing or use.

In case of further processing for purposes other than those which the data were originally collected for, we will inform you prior to further processing about these other purposes and will give you the further relevant information.

20 Data erasure

Generally we delete or anonymise your personal data as soon as they are no longer needed for the purposes for which we collected or used them on the basis of the statements above. Specific statements above regarding the retention or deletion of personal data remain unaffected.

Except where this Privacy Statement contains any other deviating provisions regarding the storage of data, the data collected by us will be stored as long as necessary for the purposes stated above which they were collected for.

21 Amendments of this Privacy Statement

The further development of the Internet and of our online offers can have an effect also on the handling of personal data. We therefore reserve the right to change this Privacy Statement in the future within the framework of applicable data protection laws and to adjust it to any changing data processing realities. For this reason we advise you to visit our website from time to time in order to take note of any updates of our Privacy Statement.

22 Right to information

You have the right at any time to obtain information about your personal data stored by us. If you wish to be informed about the personal data concerning you stored by us, or have any other questions regarding data protection, please write to us (Körber-Stiftung, Kehrwieder 12, 20457 Hamburg) or send us an email (

23 Further rights of the data subjects

In your capacity as data subject, you have the following further rights against us:

Right to rectification of inaccurate personal data concerning you in accordance with Art. 16 GDPR;

Right to the erasure (“right to be forgotten”) of the personal data concerning you without undue delay where one of the grounds set out in Art. 17 GDPR applies. These legal grounds apply, for example, if the personal data are no longer necessary in relation to the purposes for which they were collected / processed, if you withdraw your consent and there is no other legal ground for the processing, or if you object to the processing and there are no overriding grounds for the processing;

Right to restriction of processing in accordance with Art. 18 GDPR where one of the grounds set out in that provision applies. According to this provision, processing can be restricted if, for example, the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use, or if you object to processing pursuant to Art. 21 (1) GDPR pending the verification whether our legitimate grounds override yours;

Right in accordance with Art. 21 GDPR to object to the processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR; this applies also to profiling based on those provisions. We then no longer process these personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;

Right to data portability in accordance with Art. 20 GDPR. This means that you have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller, e.g. a service provider, provided the processing is based on consent or on a contract and is carried out by automated means.

24 Right to complain to the competent supervisory authority

You have the right at any time to complain to a supervisory authority, in particular a supervisory authority in the member state in which your place of residence or your place of work is located or the breach presumably occurred, if you believe that the processing of the personal data concerning you violates any provisions of the GDPR or the BDSG.

The following data protection authority is responsible for the Körber-Stiftung:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Kurt-Schumacher-Allee 4, 20097 Hamburg, Germany
Tel.: 040 / 428 54 – 4040, email:

Date of this Privacy Statement: 11 March 2024