Below, we inform you about the nature, scope, and purpose of the processing of your personal data when using the BaKIM web application (hereinafter “web application”). Personal data means any information relating to an identified or identifiable natural person.

1. Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller for the personal data processed when you visit our web application is:

City of Bamberg
Smart City Bamberg
Promenadestraße 6a
96047 Bamberg
projekte.smartcity@stadt.bamberg.de

2. Data Protection Officer

The designated data protection officer is the Data Protection Officer of the City of Bamberg. You can reach them at:

City of Bamberg
Data Protection Officer
Maximiliansplatz 3
96047 Bamberg
datenschutz@stadt.bamberg.de

3. When You Visit Our Web Application

When you visit our web application, our server collects the following information from your device:

• the browser type and version used,

• the operating system of the user,

• the Internet service provider of the user,

• the IP address of the user,

• date and time of access.

We collect and process this data in order to ensure the smooth operation of our web application and to detect, prevent, and pursue misuse of our services. Furthermore, we use the collected data for statistical purposes, for example to evaluate which devices and browsers are used to access our web application, in order to continuously adapt and improve our offering to the needs of our users on this basis.

This data processing is carried out on the basis of Article 6 (1) (f) GDPR. All technical data with a personal reference mentioned in the first paragraph are anonymised by us 30 days after collection.

4. User Account

When you create a user account on our web application, we collect your email address, a username of your choosing, your name, the name of your institution, and your role within that institution; without this data we are unable to set up a user account for you. Furthermore, we verify whether you are a member of an institution entitled to use the service (municipality, district authority, or other public body).

We retain the personal data associated with the user account until the contractual relationship regarding the user account with us has been terminated. The legal basis for this data processing is Article 6 (1) (b) GDPR.

5. Uploaded Aerial Imagery

Registered users may upload aerial images of tree populations to our web application. These images are stored on our servers and used in the context of the AI-assisted analysis of tree populations. The aerial images are stored for a period of nine months in order to facilitate re-analysis with updated models. Upon deletion of a created project, the uploaded aerial images are also permanently deleted.

We ask you to ensure that the aerial images you upload do not contain personal data of third parties (e.g. identifiable persons, vehicle registration plates, third-party properties, or other identifying features). Should such data be unintentionally included in your images, we ask you to render it unrecognisable before uploading.

The legal basis for the processing of uploaded images is Article 6 (1) (b) GDPR (performance of a contract) as well as Article 6 (1) (f) GDPR (legitimate interest in carrying out the research project).

6. Reporting Data Protection Violations in Image Material

Should you suspect a data protection violation (e.g. identifiable persons, vehicle registration plates, third-party properties, or other identifying information), you may report this to us via our reporting function: [LINK TO REPORTING PAGE]

We review every report and, in the event of a confirmed violation, take appropriate measures without delay to remove or anonymise the affected personal data.

7. No Automated Decision-Making, No Profiling

We do not use automated decision-making or profiling when deciding on the conclusion of a contract.

8. Storage Period

Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for the data processing ceases to apply. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible grounds for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, deletion will take place once these grounds cease to apply.

9. SSL/TLS Encryption

This web application uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection by the browser address bar changing from “http://” to “https://” and by the padlock icon in your browser bar. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

10. Your Rights

With regard to the personal data we process about you, you have the following rights:

You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, we will inform you of the personal data stored about you and the further information pursuant to Article 15 (1) and (2) GDPR.

You have the right to have inaccurate personal data concerning you corrected without delay. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data.

You may request the immediate deletion of your personal data under the conditions of Article 17 (1) GDPR, provided that the processing is not necessary pursuant to Article 17 (3) GDPR.

You may request the restriction of the processing of your data if one of the conditions of Article 18 (1) GDPR applies.

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and you may request that we transmit this data to another controller without hindrance, insofar as this is technically feasible. This provision applies in accordance with Article 20 (1) GDPR.

Insofar as data processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the data processing carried out up until your withdrawal. This provision applies in accordance with Article 21 (1) GDPR.

RIGHT TO OBJECT: FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, YOU MAY OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA;

this right of objection applies to data processing carried out on the basis of Article 6 (1) (f) GDPR in order to safeguard legitimate interests on our part or on the part of a third party, unless your interests or fundamental rights and freedoms, which require the protection of personal data, prevail.

If you believe that the processing of your personal data violates the GDPR, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. This is without prejudice to other administrative or judicial remedies.

11. Competent Supervisory Authority

The supervisory authority with local jurisdiction for data protection matters in our case is:

Bavarian State Commissioner for Data Protection (Section 15 BayDSG)
Postfach 22 12 19
80502 Munich
https://www.datenschutz-bayern.de/vorstell/impressum.html