Data protection notice – SRS website

This data protection notice provides information on the processing of personal data and on how information is accessed and stored on your device when using our website (https://www.s-r-s.org/).

Contents of this data protection notice

1. Controller and contact
2. Data protection officer
3. Data processing when you use our website
- 3.1 Accessing the website, connection data
- 3.2 When you contact us
4. Use of tools on our website
- 4.1 Technologies and browser settings
- 4.2 Legal basis
- 4.3 Necessary tools
5. Disclosure of data
6. Data transfers to third countries
7. Storage period
8. Data protection rights
- 8.1 Overview of your rights
- 8.2 Right of withdrawal and to object
- 8.3 Right to lodge a complaint
9. Obligation to provide your data
10. Automated decision-making
11. Changes to this data protection notice

1. Controller and contact

The contact and so-called controller for the processing of your personal data in connection with the use of the website is

Secure Request Services GmbH (“SRS”, “we”, “us”)
Eberswalder Str. 46,
16227 Eberswalde
Germany
Phone: 004917632435612
Email: contact@s-r-s.org

represented by the Managing Director: Marcus Grotian

2. Data protection officer

If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. You can write to the data protection officer at the above postal address (please mark all correspondence with: “F.A.O. Data Protection Officer”) and at the email address dsacompliance@s-r-s.org.

3. Data processing when you use our website

3.1 Accessing the website, connection data

Every time you use our website, we process connection data that your browser automatically transmits in order to enable your use of the website. This connection data comprises what is known as HTTP header information, including the user agent, and includes in particular:

IP address of the requesting device
Method (e.g. GET, POST), date and time of the request
Address of the requested website and path of the requested file
If applicable, the previously visited website/file (HTTP referer)
Information about the browser used and the operating system
Version of the HTTP protocol, HTTP status code, size of the file delivered
Request information such as language, type of content, coding of content, character sets
Cookies stored on the device of the domain accessed.

The processing of this connection data is strictly necessary to enable the use of the website, to ensure the ongoing functionality and security of our systems, and to perform the general administrative maintenance of the website. The connection data is also stored in internal log files for the purposes described above, temporarily and limited to the absolute minimum, in order for example to find the cause of and take action against repeated or criminal requests that endanger the stability and security of the website.

The legal basis for this processing is Art.6(1) Sentence 1(b) GDPR, where access takes place in the course of the initiation or performance of a contract, and otherwise Art.6(1) Sentence 1(f) GDPR, based on our legitimate interest in making it possible to access the website and in ensuring the long-term functionality and security of our systems.

Log files are generally stored for fourteen days and then erased. In exceptional cases, individual log files and IP addresses may be stored for a longer period, for example to prevent further attacks from the same IP address in the event of cyberattacks and/or to pursue legal action against the attackers.

3.2 When you contact us

You may contact us using the communication channels specified above. In this context, we process your data solely for the purpose of communicating with you.

The legal basis for this processing is Art.6(1) Sentence 1(b) GDPR, insofar as we need your details in order to respond to your enquiry or to initiate or perform a contract, and otherwise Art.6(1) Sentence 1(f) GDPR, based on our legitimate interest in enabling you to contact us and being able to respond to your enquiry.

The data processed when you contact us will generally be erased automatically once your enquiry has been fully dealt with, unless further storage is necessary, for example to comply with legal obligations or for documentation purposes.

4. Use of tools on our website

4.1 Technologies and browser settings

This website uses tools embedded in or accessed via the website – such as JavaScript program code (scripts) – which can store information on the device and read information from it. JavaScript and other tools can be blocked by adjusting the settings in your browser.

Most browsers are set by default to accept cookies, run scripts and display graphics. However, you can usually adjust your browser settings in such a way that all or certain cookies are rejected or scripts and graphics are blocked. If you choose to completely disable cookies, graphics and scripts, our services may not function properly or at all.

4.2 Legal basis

Where tools essential to the operation of the website process personal data, such processing is carried out on the basis of our legitimate interest under Art.6(1) Sentence 1(f) GDPR in ensuring the basic functionality of the website. In certain cases, these tools may also be necessary for the performance of a contract or to take steps prior to entering into a contract, in which case the processing is carried out in accordance with Art.6(1) Sentence 1(b) GDPR. In these cases, information is accessed and stored on your device because this is strictly necessary, and on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect.25(2) of the Telecommunications Digital Services Data Protection Act (TDDDG).

For cases involving the transfer of personal data to third countries, we refer you to the section “Data transfers to third countries”, which also explains the possible associated risks. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we (also) transfer the data processed when using the tools to third countries on the basis of this consent pursuant to Art.49(1)(a) GDPR.

4.3 Necessary tools

We use certain tools to enable the basic functionality of this website (“necessary tools”). These include, for example, tools used to prepare and display content, to manage and integrate other tools, to provide payment processing services, to detect and prevent fraud, and to ensure the security of the website. We would not be able to provide the service without these tools. For this reason, necessary tools are used without consent.

The legal basis for necessary tools is the necessity of processing personal data in order to fulfil our legitimate interests pursuant to Art.6(1) Sentence 1(f) GDPR in providing the respective basic functions and in operating the website. In cases where the provision of the functionality in question is necessary for the performance of a contract or for taking steps prior to entering into a contract, the legal basis for data processing is Art.6(1) Sentence 1(b) GDPR. In these cases, information is accessed and stored on your device because this is strictly necessary, and on the basis of the EU Member States’ laws implementing the ePrivacy Directive, which in Germany means according to Sect.25(2) of the Telecommunications Digital Services Data Protection Act (TDDDG).

For cases where data is transferred to third countries, we refer you to the section “Data transfers to third countries” for more information.

We use our own necessary tools that access or store information on the device, in particular

For load balancing
To store your language settings
To note that information placed on our website has been displayed to you – so that it will not be displayed again the next time you visit the website.

5. Disclosure of data

We will generally only disclose personal data we have processed where there is a legal basis for this under data protection law in the specific case, in particular if:

You have given explicit consent pursuant to Art. 6(1) Sentence 1(a) GDPR;
This is permitted by law and is required under Art. 6(1) Sentence 1(b) GDPR for the processing of contractual relationships with you or for taking steps at your request prior to entering into a contract;
We are legally obliged to disclose the data under Art.6(1) Sentence 1(c) GDPR, in particular where this is required due to binding provisions (e.g. in the context of tax audits by the fiscal authorities), official requests, court decisions and legal proceedings for the purpose of legal prosecution or enforcement;
Disclosure is necessary pursuant to Art. 6(1) Sentence 1(f) GDPR to safeguard our legitimate interests or in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed; or
This is necessary in order to protect the vital interests of the data subject or of another natural person.

The data processing may be carried out in part by our service providers. In addition to the service providers mentioned in this data protection notice, the following in particular may be involved:

Data centres that host our website and databases, in particular Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Deutschland
Software providers;
IT service providers that maintain our systems;
Consulting firms.

For the development, hosting, maintenance and operation of the website, we use the service provider Flying Spoon GmbH, Jägerallee 34, 14469 Potsdam, Germany.

If we pass data on to our service providers, they may use the data exclusively for the fulfilment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects and are carefully monitored by us.

In addition, where necessary, we may transmit your personal data to other recipients who process your personal data under their own responsibility. These may in particular include:

Postal service providers;
Tax consultants, lawyers or auditors;
Public bodies such as authorities and courts.

6. Data transfers to third countries

Where applicable (for example when using service providers), personal data may be transmitted in part to so-called third countries (countries outside the European Union or the European Economic Area), i.e. countries whose level of data protection does not correspond to that of the European Union.

Where an adequacy decision of the European Commission exists for such countries (Art. 45 GDPR), we base the data transfer on that decision. (Adequacy decisions currently exist for: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, Uruguay and the United Kingdom. For the United States, this applies only where the US recipient is certified under the EU–US Data Privacy Framework.)

Where no adequacy decision exists for the country in question, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include but are not limited to the standard contractual clauses of the European Union or binding corporate rules (Art. 46 GDPR).

Where this is not possible, we base the transfer of data on derogations under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.

Where a data transfer to a third country is planned and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the third country in question (e.g. intelligence agencies) may gain access to the transferred data in order to record and analyse it, and that enforceability of your rights as a data subject cannot be guaranteed. Where your explicit consent is obtained, you will also be informed of this.

7. Storage period

In principle, we only store personal data for as long as this is necessary to fulfil the purposes for which we have collected the data. Generally, we then erase the data without undue delay, unless we still require it until the end of the statutory limitation period for documentation purposes for claims under civil law, due to statutory retention obligations, or there is another legal basis under data protection law for the continued processing of your data in the specific individual case.

In particular, contractual data must be retained for documentation purposes for a period of three years after the end of the year in which the business relationship with you ends. After the standard statutory period of limitation, any claims become statute-barred at this point in time at the earliest.

Even after this period, we are required in some cases to retain your data for legal reasons. We are obliged to do so under statutory record-keeping requirements, which may arise, for example, from the German Commercial Code (HGB) or the Fiscal Code (AO). The periods specified therein for retaining documents range from two to ten years.

8. Data protection rights

8.1 Overview of your rights

Subject to the respective statutory requirements, you always have the following rights as a data subject:

Right to withdraw your consent (Art. 7(3) GDPR)
Right to object to the processing of your personal data (Art. 21 GDPR)
Right of access to personal data concerning you which we process (Art. 15 GDPR)
Right to rectification of inaccurate personal data concerning you which we have stored (Art. 16 GDPR)
Right to erasure of your personal data (Art. 17 GDPR)
Right to restriction of the processing of your personal data (Art.18 GDPR)
Right to data portability (Art. 20 GDPR).

In order to establish your rights described here, you can contact us at any time using the contact details provided. This also applies if you wish to receive copies of safeguards in order to prove an adequate level of data protection. Subject to the respective legal requirements, we will comply with your data protection request.

We will keep your enquiries regarding the establishment of rights under data protection law, and our responses to these, for a period of up to three years for documentation purposes and, where necessary in individual cases, beyond this period if we need to establish, exercise or defend legal claims. The legal basis is Art.6(1) Sentence 1(f) GDPR, based on our interest in defending ourselves against any civil-law claims, avoiding administrative fines and fulfilling our accountability under Art.5 Sentence 2 GDPR.

8.2 Right of withdrawal and to object

Right of withdrawal (Art.7(3) GDPR)

You have the right to withdraw the consent you gave us at any time. As a result of this, we will cease the data processing based on this consent with effect for the future. This withdrawal of your consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Right to object (Art. 21 GDPR)

General objection: SWhere we process your data on the basis of Art.6(1) Sentence 1(f) GDPR (legitimate interests) or Art.6(1) Sentence 1(e) GDPR, you may object to the processing at any time on grounds relating to your particular situation.

Objection to direct marketing: Where we process your data for direct marketing purposes, you may object to the processing at any time without stating any reasons.

Exercising your rights

If you would like to make use of your right of withdrawal or objection, it is sufficient to simply notify us using the contact details provided above.

8.3 Right to lodge a complaint

Finally, you have the right to lodge a complaint with a data protection supervisory authority (Art.77 GDPR). You can assert this right, for example, by contacting a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

9. Obligation to provide your data

Unless otherwise explained above, there is generally no obligation to provide personal data, and the website can be used without entering any personal information. Insofar as the processing of data is absolutely necessary in the context of accessing the website, this is done automatically and without this processing the website cannot be used.

Where the provision of your data is required for the conclusion of a contract, for compliance with legal obligations, for making contact or for the use of other services and functions, the relevant input fields are marked as mandatory (usually by an asterisk *). In such cases, without the data provided, a contract cannot be concluded, the specific service cannot be rendered, or the function cannot be used.

Other details not marked as mandatory are voluntary. Providing such data is not required for the conclusion of any contract, the provision of the service or the use of the function, and has no impact on the execution of the contract.

10. Automated decision-making

Automated decision-making, including profiling within the meaning of Art.22 GDPR, which produces legal effects or similarly significantly affects individuals, does not generally take place, unless otherwise explained elsewhere.

11. Changes to this data protection notice

We may occasionally update this data protection notice, for example if we adapt the website or if statutory or regulatory requirements change.

Version: 1.0. Last amended: October 2025