# Privacy policy for Research Activity and the Wikimedia Germany Research Contact Pool

This privacy policy states how Wikimedia Deutschland e.V. ( “WMDE”) processes personal data of participants in our research activity in general and in the Wikimedia Research Contact Pool specifically to optimize the Wikimedia projects and services.

## Information on the responsible for data processing and contact details of the Data Protection Officer

### Controller

Wikimedia Deutschland – Gesellschaft zur Förderung Freien Wissens e. V.\
Tempelhofer Ufer 23/24\
10963 Berlin

Email: [ux@wikimedia.de](mailto:ux@wikimedia.de)\
Phone: +49 (0)30-577 11 62-0\
Fax: +49 (0)30-577 11 62-99

### You may reach out to our Data Protection Officer using the following contact details:

Thorsten Feldmann, LL.M.\
JBB Rechtsanwälte Jaschinski Biere Brexl Partnerschaft mbB\
Christinenstr. 18/19\
10119 Berlin

Email: [datenschutz@wikimedia.de](mailto:datenschutz@wikimedia.de)\
Phone: +49 30 443 765 0

## Purpose, duration and legal basis for processing personal data

### Registration for the Wikimedia Research Contact Pool and feedback

When you register for the Wikimedia Research Contact Pool, we collect and process certain personal data. These are your name, username or other chosen pseudonym and your email address. In addition, we may ask you for further optional information after registration so that we can assess which research activities you are eligible for.

We process the aforementioned personal data, so you may participate in the Wikimedia Research Contact Pool and so that we can invite and contact you for research activities or other actions related to the pool. 

The purpose for conducting the surveys and other research activities is to improve the usability, usefulness and general user experience of Wikipedia and Wikimedia projects such as Wikidata and Wikibase. The legal basis for this is Article 6 paragraph 1 item b) GDPR and Article 6 paragraph 1 item. f) GDPR, as the aforementioned purposes are also legitimate interests of WMDE.

The personal data collected during registration and during the research activities will be processed for the duration of your membership of the Wikimedia Research Contact Pool and will then be deleted immediately. You can terminate your membership at any time by sending us your unsubscribe request by email to [ux@wikimedia.de](mailto: ux@wikimedia.de). Your personal data will then be deleted.

### Interviews and other research activities

We may invite you for an interview or other user research activity, where we ask about your experiences with our services and/or ask you to show us how you perform certain tasks using our products or prototypes for new features we are developing. These research activities will either take place in person or via other means, for example video meeting software like BigBlueButton or Google Meet. We use the information gathered to improve our services, which also constitutes our legitimate interest in processing the data. The legal basis for this processing is thusly Article 6 paragraph 1 item f) GDPR, unless consent has been obtained in accordance with Article 6 paragraph 1 item a). If need be, we will take notes during the interview which will be anonymized after some time, which depends on the specific research project.

With your consent, we may record your activities and/or the interview and transcribe it. The record will be deleted after the end of the project. Any references to your person will be purged from the transcript. Should we intend to store the recording in a personalized form for a longer period, we will separately inform you. The legal basis for the recording and processing of video data is Article 6 paragraph 1 item f) GDPR. Our legitimate interest lies in the documenting and archiving of the interviews.

### Payment of compensation

We reserve the right to offer you a compensation (which can be a sum of money, but also gift cards or similar items) for participating in the surveys and research activities. We will then process your name and other information such as your banking information as required to compensate you. The data will be processed for these purposes until the payment is made and then for the regular limitation period of 3 years, starting at the end of the year in which the payment was made. The legal basis for this is Article 6 paragraph 1 item b) GDPR.  

In addition, for tax and accounting reasons, we must retain certain documents relating to the payment for a period of 6 or 10 years (depending on the document) in order to comply with our statutory retention obligations. The legal basis for this is Article 6 paragraph. 1 item c) GDPR and Section 147 of the German Fiscal Code (Abgabenordnung).

### Connection to our site

When you visit our site, your device automatically transmits some technical data to us. These are, for instance:

- Type and version of your browser
- Your operating system
- Referrer URL
- Host name of the computer accessing our site
- Time stamp of the server request
- IP address

We process the data to give you access to our site. We store this data only in anonymized form. The legal basis for the processing of data is Article 6 paragraph 1 item f) GDPR, whereas our legitimate interest is providing you with our site.

### Contacting WMDE

Should you contact us in any other matter, this will generally happen via email. We will process your email address, if need be your name and any other personal data you provide within your message for the purpose of responding to your request. As this constitutes a legitimate interest of ours, the legal basis for this processing of data is the Article 6 paragraph 1 item f) GDPR. We will store your request as long as it takes to answer and will subsequently delete it.

## Recipients and transmissions to third countries

Your data may be processed by our external (e.g. technical) service providers, which have been contractually obliged to data protection.  

We do not transfer personal data to third countries except as described hereafter. 

We use the service Google Workspace of the Google Ireland ltd. Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) for our work procedures. When using the service, data might be transmitted to their parent company, the Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google LLC is certified under the Data Privacy Framework, and thus an appropriate level of data protection is ensured.

We use Great Question of the Great Question Inc, of 2261 Market Street #4639, San Francisco, California, 94114, USA for organizing our research activity including sign up for the user pool, storage of contact and research data information, sending invitations, recording of interviews and compensation. Great Question processes personal data in countries outside of the EU. We have concluded standard contractual clauses as appropriate safeguards to ensure an adequate level of protection for the personal data processed. You can obtain a copy of the standard contractual clauses under: [https://greatquestion.co/about/terms](https://greatquestion.co/about/terms)

We use the marketing platform Mailchimp of The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA as registration form for the list of participants. The Rocket Science Group is certified under the Data Privacy Framework as well, so an appropriate level of protection of your personal data is ensured. 

We also use the service Dovetail of the Dovetail Research Pty. Ltd., Level 1, 276 Devonshire Street, Surry Hills, 2010 Sydney for storing records and transcripts. Dovetail processes personal data in countries outside of the EU. We have concluded standard contractual clauses as appropriate safeguards to ensure an adequate level of protection for the personal data processed. You can obtain a copy of the standard contractual clauses under: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914) 

## Your data subject rights to information, to rectification, to deletion of data, to restriction of processing, to data portability and to lodge a complaint with a supervisory authority

The GDPR grants you certain rights which you can assert against us, provided the legal requirements are met.

**Article 15 GDPR — right to access of the data subject**: You have the right to demand confirmation whether personal data pertaining to you are processed, and if so what data and under which specific circumstances.

**Article 16 GDPR — right to rectification**: You have the right to demand the immediate rectification of any incorrect personal data pertaining to you. When doing so, you also have the right to demand the completion of incomplete personal data, also by way of a complementary declaration, with consideration to the purpose of the processing.

**Article 17 GDPR — right to erasure of data**: You have the right to demand that personal data pertaining to you be deleted immediately.

**Article 18 GDPR — right to restriction of processing**: You have the right to demand the restriction of processing from us.

**Article 20 GDPR — right to data portability**: Where we process personal data based on consent or for fulfilling a contract, you have the right to demand to receive the personal data pertaining to you which you have provided us with in a structured, common and machine-readable format and to transmit said data to another responsible party without obstruction from us or to have the data transmitted directly to the other responsible party, as far as this is technically feasible.

**Article 77 GDPR — right to lodge a complaint with a supervisory authority**:  You have the right to lodge a complaint with a data protection authority at any time, especially in the member state of your residency, your workplace or the place of the alleged violation, if you are of the opinion that the processing of your personal data is in violation of applicable law.

## Right to object and revocation of consent

**Article 21 GDPR — right to object**: On grounds that arise from your particular situation, you have the right to object at any time to the processing of your personal data that is necessitated by our legitimate interest or by adhering to a task of public interest or that takes place during the exercise of public power, by contacting us in one of the aforementioned manners, for instance by sending an email to [ux@wikimedia.de](mailto: ux@wikimedia.de).

In case of your objection, we will no longer process your personal data, unless we can prove compelling reasons for the processing which are worthy of protection, which outweigh your interest, rights and freedoms or if the processing is effected on purpose of the claiming, asserting or defending of legal claims.

**Article 7 GDPR — revocation of consent**:  If you have given consent to us, you have the right to revoke this consent at any time. In this case, all data processing that we undertook up until the time of your objection remains lawful. In order to do so, you can simply click the link contained in the mail to unsubscribe from the email service, effect the respective changes in your user account, or send a message to [ux@wikimedia.de](mailto: ux@wikimedia.de). If you inform us about the fact that you do not wish to receive mail from us in the future, we will no longer send message to the email address stated by you.

## Duty to provide data

You have no duty to provide us with personal data, neither by law nor by contract. We are unable to offer our services without the data being provided by you, though.

## Automated decision-making (including profiling)

We do not employ automated decision-making according to Article 22 GDPR that has legal effect on you or affects you negatively in any other way.

## Contact

If you have any questions regarding our privacy policy, kindly contact us via the email address [ux@wikimedia.de](mailto: ux@wikimedia.de).