Researching archival files Foto: KZ-Gedenkstätte Neuengamme (ÖA), 2017

Privacy policy

With this privacy policy, we inform you about our handling of your personal data and about your rights under the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Controller for data processing is the Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen (hereinafter referred to as "we" or "us").

 

Content

I.      General information

1.     Contact

2.     Legal basis

3.     Duration of storage

4.     Categories of recipients of the data

5.     Data transfer to third countries

6.     Processing in the exercise of your rights

7.     Your rights

8.     Right of objection

9.     Data Protection Officer

II.     Data processing activities on our websites

1.     General information about our websites

a.     Server log files processing

b.     Contact options and requests

c.      Cookies

2.     Further data processing on our websites

a.     Further data processing on www.kz-gedenkstaette-neuengamme.de

b.     Further data processing on www.gedenkstaetten-hamburg.de

c.      Further data processing on gedenkstaetten-in-hamburg.de

d.     Further data processing on waswillstdutun.de

e.     Further data processing on www.lernwerkstatt-neuengamme.de

III.    App

1.     Download the app

2.     Automatic processing of personal data when using the app

3.     Permissions on the end device when using the app

IV.    Data processing on our social media pages

1.     Visit a social media page

2.     Communication via social media sites

V.     Other data processing

1.     Applications

2.     Contact us by e-mail, telephone or fax

3.     Cooperation and tenders

4.     Seminars, conferences and events

5.     Cultural mediators/guides

 

  1. General information
  1. Contact

If you have any questions or suggestions about this information, or if you would like to contact us about asserting your rights, please send your request to

Stiftung Hamburger Gedenkstätten und Lernorte zur Erinnerung an die Opfer der NS-Verbrechen

Jean-Dolidier-Weg 75, 21039 Hamburg
Tel. +49 40 428131500
Fax: +49 40 428131501
E-mail: stiftung@gedenkstaetten.hamburg.de

 

  1. Legal basis

The term "personal data" under data protection law refers to all information relating to an identified or identifiable individual. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by us only takes place on the basis of a legal permission. We process personal data only with your consent (Section 25 (1) TTDSG or Art. 6 (1) a GDPR), for the performance of a contract to which you are a party or at your request for the performance of pre-contractual measures (Art. 6 (1) b GDPR), for the performance of a legal obligation (Art. 6 (1) c GDPR) or if processing is necessary for the purposes of protecting our legitimate interests or the legitimate interests of a third party, unless such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data (Art. 6 (1) f GDPR). If you apply for a vacant position at our foundation, we will also process your personal data for the purpose of deciding whether to establish an employment relationship (Section 26 (1) 1 BDSG).

 

  1. Duration of storage

Unless stated otherwise in the following notes, we only store the data for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof as well as with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to processing for this purpose.

 

  1. Categories of recipients of the data

We use processors as part of the processing of your data. Processing carried out by such processors include, for example, hosting, sending e-mails, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing measures or file and data carrier destruction. A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out data processing exclusively for the data controller and are contractually obligated to ensure appropriate technical and organizational measures for data protection. In addition, we may transfer your personal data to bodies such as postal and delivery services, house bank, tax consultancy/auditing company or the financial administration. Further recipients may result from the following notes.

 

  1. Data transfer to third countries

Our data processing may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer takes place in a permissible manner if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, a transfer of personal data to a third country will only take place if appropriate safeguards exist pursuant to Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.

Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data in third countries. You have the possibility to receive a copy of these EU standard data protection clauses or to inspect them. To do so, please contact us at the address given under Contact.  If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Article 49 (1) a GDPR.

 

  1. Processing in the exercise of your rights

If you exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data provided for the purpose of implementing these rights by us and to be able to provide evidence thereof. We will only process data stored for the purpose of providing information and preparing it for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Art. 18 GDPR.

These processing operations are based on the legal basis of Art. 6 (1) c GDPR in conjunction with. Art. 15 to 22 GDPR and § 34 (2) BDSG.

 

  1. Your rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

  • In accordance with Art. 15 GDPR and § 34 BDSG, you have the right to request access about whether and, if so, to what extent we are processing personal data relating to you or not.
  • You have the right to demand that we correct your data in accordance with Art. 16 GDPR.
  • You have the right to demand that we delete your personal data in accordance with Art. 17 GDPR and § 35 BDSG.
  • You have the right to have the processing of your personal data restricted in accordance with Art. 18 GDPR.
  • You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format and to transfer this data to another controller.
  • If you have given us separate consent to data processing, you may revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
  • If you believe that a processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
  1. Right of objection

In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you may object to such processing pursuant to Article 21 (2) and (3) of the GDPR.

 

  1. Data Protection Officer

You can reach our data protection officer at the following contact details:

E-mail: dsb_neuengamme@datenschutzkanzlei.de

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg

https://www.datenschutzkanzlei.de   

 

  1. Data processing activities on our websites

The Foundation operates several websites. When you use the websites, we collect information that you provide yourself. In addition, during your visit to the respective website, certain information about your use of the website is automatically collected by us. In data protection law, the IP address is also generally considered to be a personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.

The following information applies to all websites operated under the responsibility of the Foundation. If special data processing takes place on some websites, this will be marked accordingly.

 

  1. General information about our websites
    1. Server log files processing

During the purely informative use of our website, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). This includes by default: browser type/version, operating system used, requested page, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code.

The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) f GDPR. This processing serves the technical administration and security of the website. The stored data is anonymized immediately after collection, unless there is a justified suspicion of unlawful use based on concrete indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject on the basis of the stored information. Articles 15 to 22 of the GDPR therefore do not apply pursuant to Article 11 (2) of the GDPR, unless you provide additional information that enables us to identify you in order to exercise your rights set out in these articles.

 

    1. Contact options and requests

Our websites contain contact forms that you can use to send us messages. The transfer of your data is encrypted (recognizable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this data will result in us not being able to process your request. The provision of further data is voluntary. Alternatively, you can send us a message via the contact e-mail. We process the data for the purpose of answering your request.

If your request is directed towards the conclusion or performance of a contract with us, Art. 6 (1) b GDPR is the legal basis for data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting inquiring persons. The legal basis for data processing is then Art. 6 (1) f GDPR.

 

    1. Cookies

We use cookies and similar technologies ("cookies") on our website. Cookies are small data sets that are stored by your browser when you visit a website. This identifies the browser used and can be recognized by web servers. You have full control over the use of cookies through your browser. You can delete the cookies in the security settings of your browser at any time. You can object to the use of cookies through your browser settings in principle or for specific cases. The use of cookies is technically necessary for the operation of our website or the playout of services requested by you and is therefore permitted without the consent of the user.

 

  1. Further data processing on our websites

In addition, further data processing takes place on some websites, of which we inform you in the following.

 

    1. Further data processing on https://www.kz-gedenkstaette-neuengamme.de/
      • i. Registration form

Our website contains an event calendar with a registration form, which you can use to register for our event and tour formats. The transfer of your data is encrypted (recognizable by the "https" in the address bar of the browser). We process the data in order to be able to plan and organize our event and tour formats. We base this processing on our legitimate interest according to Art. 6 (1) f) GDPR.

All data fields are required for the stated purposes. Failure to provide the data will result in us not being able to consider your registration. Your data will be stored for four weeks after the end of the event and then deleted.

 

      • ii. Newsletter

We offer on our website the possibility to register for our newsletter. After registration we will inform you regularly about the latest news on our offers. A valid e-mail address is required to register for the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and name based on the consent you have given us. The processing is based on the legal basis of Art. 6 (1) a) GDPR. You can revoke the consent granted at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation. When registering for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 (1) c in conjunction with. Art. 7 (1) GDPR).

 

      • iii. Online-Shop

If you order a product via our website, we process personal data exclusively for the purpose of processing the contract or to provide you with the ordered product. In the booking or ordering process, we only process the data that you yourself have entered in the input mask and, if applicable, payment information if you pay by advance bank transfer.  In order to be able to deliver the ordered products to you, we transmit your data required for the delivery to one of our shipping service providers. The legal basis for the processing is in each case Art. 6 (1) b GDPR. All data fields marked as mandatory are required for processing your booking or order. Failure to provide this data will result in us not being able to process your booking or order. The provision of further data is voluntary. The deletion of the data takes place after the expiry of legal storage obligations.

 

      • iv. Archive requests

Our website contains a contact form that you can use to send us an archive request. The transfer of your data is encrypted (recognizable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this data will result in us not being able to process your request. The provision of further data is voluntary. Alternatively, you can send us a message via the contact e-mail. We process the data for the purpose of answering your request. When releasing data from our archive, we adhere to the requirements of the Hamburg Archive Act (HmbArchG).

We process the data of you as an inquirer on the basis of our legitimate interest and in order to be able to answer your inquiry. The legal basis for the data processing is Art. 6 (1) f GDPR.

 

      • v. Google Maps

We use Google Maps from Google Ireland Limited (Ireland, EU) on our website to display maps. For the integration, we use a two-click solution. When using the two-click solution, no connection is established to the third-party provider, but a placeholder is loaded from our own server. This can be a preview image of the embedded maps or videos. A contact to the "third-party server" is only established after another click on the respective placeholder. The transmission of the IP address therefore only takes place when you confirm this with your click.

The data processing is carried out on the basis of our legitimate interest and is based on Art. 6 (1) f GDPR. For more information on data protection at Google, please refer to Google's privacy policy at www.google.com/policies/privacy.

 

      • vi. Matomo

We use the web analytics service Matomo with our offer. Matomo is an open source software for website optimization, which anonymously evaluates the access of website visitors without the use of cookies. In the process, the IP address is anonymized immediately after it is processed and before it is stored. Therefore, no further processing of personal data takes place when Matomo is used. No user profiles are created and no data is passed on to third parties. This data processing is carried out to protect our legitimate interests in range measurement and statistical analysis of the use of our website. The processing is based on the legal basis of Art. 6 (1) f GDPR. This processing serves the purpose of optimizing our offer but doing so without processing personal data.

You can object to the data processing as a whole at any time by clicking the mouse below to prevent Matomo from processing the data. In this case, a so-called opt-out cookie will be stored in your browser. As a result, Matomo will not collect any session data. If you delete your cookies in your internet browser, the opt-out cookie will also be deleted. It must therefore be activated again when you visit our website again.

You can decide here whether a unique web analytics cookie may be placed in your browser to enable the website operator to collect and analyze various statistical data.
 If you wish to opt out, click the following link to place the Matomo deactivation cookie in your browser.
 

    1. Further data processing on https://www.gedenkstaetten-hamburg.de/
  1. Matterport

We use the Matterport service of Matterport Inc (USA) on our website to integrate and present our online exhibition "Luise - Archaeology of an Injustice". For such an integration, a processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Matterport.

The processing of your data is based on Art. 6 (1) f DSGVO and is based on our legitimate interest in the appealing presentation of our content.

When using the service, a transmission of your data to the USA cannot be excluded. Please note the information in the section "Data transfer to third countries". For more information on data protection at Matterport, please refer to Matterport’s privacy policy at https://matterport.com/privacy-policy.

 

    1. Further data processing on https://gedenkstaetten-in-hamburg.de/
      1. Google Maps

We use Google Maps from Google Ireland Limited (Ireland, EU) on our website to display maps. For the integration, we use a two-click solution. When using the two-click solution, no connection is established to the third-party provider, but a placeholder is loaded from our own server. This can be a preview image of the embedded maps or videos. A contact to the "third-party server" is only established after another click on the respective placeholder. The transmission of the IP address therefore only takes place when you confirm this with your click.

The data processing is carried out on the basis of our legitimate interest and is based on Art. 6 (1) f) GDPR. For more information on data protection at Google, please refer to Google's privacy policy at www.google.com/policies/privacy.

 

    1. Further data processing on https://waswillstdutun.de/
      • i. Matomo

We use the web analytics service Matomo with our offer. Matomo is an open source software for website optimization, which anonymously evaluates the access of website visitors without the use of cookies. In the process, the IP address is anonymized immediately after it is processed and before it is stored. Therefore, no further processing of personal data takes place when Matomo is used. No user profiles are created and no data is passed on to third parties. This data processing is carried out to protect our legitimate interests in range measurement and statistical analysis of the use of our website. The processing is based on the legal basis of Art. 6 (1) f) GDPR. This processing serves the purpose of optimizing our offer but doing so without processing personal data.

You can object to the data processing as a whole at any time by clicking the mouse below to prevent Matomo from processing the data. In this case, a so-called opt-out cookie will be stored in your browser. As a result, Matomo will not collect any session data. If you delete your cookies in your internet browser, the opt-out cookie will also be deleted. It must therefore be activated again when you visit our website again.

You can decide here whether a unique web analysis cookie may be stored in your browser to enable the website operator to collect and analyze various statistical data.

If you wish to opt out, please click on the link in the footer of our website.

 

      • ii. Vimeo

We use the Vimeo service of Vimeo, Inc. (USA) on our website to integrate videos. For such an integration, a processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Vimeo and Vimeo may set its own cookies. The processing of your data is based on Art. 6 (1) f GDPR and is based on our legitimate interest in the optimization and economic operation of our website.

When using the service, a transfer of your data to the USA cannot be excluded. We ensure the appropriate level of protection by concluding standard contractual clauses in accordance with Art. 46 GDPR. For more information on data protection at Vimeo, please refer to Vimeo's privacy policy at vimeo.com/privacy.

 

    1. Further data processing on https://www.lernwerkstatt-neuengamme.de/
      • i. GoAccess and AWStats

We use the GoAccess and AWStats services on our website. These are locally hosted open source solutions that provide us with various statistics about the use of our website, e.g. the number of website visitors and their origin. These statistics allow us to improve our website and tailor it to the needs of our visitors.

When using the services, your IP address is processed exclusively anonymously.

The anonymization is based on Art. 6 (1) f GDPR and is based on our legitimate interest in the optimization and economic operation of our website.

 

  1. App

In addition to our other online services, we provide you with a mobile app that you can download to your mobile device. In the following, we inform you about the collection and processing of personal data when using our mobile app.

 

  1. Download the app

When downloading the app, certain required information is transmitted to the app store selected by you (e.g. Google Play or Apple App Store), in particular the user name, the e-mail address, time of download, as well as the individual device number may be processed. The processing of this data is carried out exclusively by the provider of the respective app store and is beyond our control.

 

  1. Automatic processing of personal data when using the app

When you use the mobile app, we collect the personal data described below to enable you to use the functions comfortably. If you wish to use our mobile app, we collect the following data, which is technically necessary for us to offer you the functions of our mobile app and to ensure stability and security.

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Data volume transferred in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

 

The legal basis for the processing of this data is Art. 6 (1) f GDPR.

 

  1. Permissions on the end device when using the app

In the course of using the app, it may be necessary to access certain functions of the terminal device used. The app requires access to the Internet. This is required so that the online map can be loaded from Google Maps (Android) or Apple Maps (iOS). To display the map, hard-coded coordinates of the Neuengamme Memorial and the individual visit stations are transmitted.

 

  1. Data processing on our social media pages

We are represented with our foundation and individual projects on several social media platforms. Through this, we would like to offer further opportunities for information about our work and for exchange. Our foundation has pages on the following social media platforms:

 

  • Facebook of Meta Platforms Ireland Limited, (Ireland, EU), hereinafter "Meta".
  • Instagram of Meta Platforms Ireland Limited, (Ireland, EU)
  • LinkedIn of LinkedIn Ireland Unlimited Company, (Ireland, EU), hereinafter "LinkedIn".
  • TikTok of TikTok Technology Limited, (Ireland, EU), hereinafter "TikTok".

When you visit or interact with a profile on a social media platform, personal data about you may be processed. The information associated with a social media profile used also regularly constitutes personal data. This also covers messages and statements made while using the profile. In addition, during your visit to a social media profile, certain information about it is often automatically collected, which may also constitute personal data.

 

  1. Visit a social media page

When you visit our social media site, through which we present our foundation or individual projects, certain information about you is processed. The operators of the social media platforms are solely responsible for this processing of personal data. You can find further information about the processing of personal data in their data protection statements, which we link to below:

 

  • Meta (www.facebook.com/privacy/explanation). Meta offers the option to object to certain data processing; information and opt-out options in this regard can be found at www.facebook.com/settings;
  • LinkedIn (https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy)
  • TikTok (https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE)

 

The operators of the social media platforms collect and process event data and profile data and provide us with statistics and insights for our pages in anonymized form, which we use to gain insights into the types of actions that people take on our page (so-called "page insights"). These page insights are created based on certain information about individuals who have visited our site. This processing of personal data is carried out by the social media operators and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site and to improve our site based on these insights. The legal basis for this processing is Art. 6 (1) f GDPR.

We cannot assign the information obtained via Page Insights to individual user profiles that interact with our pages. We have entered into joint controller processing agreements with the operators of the social media platforms, which specify the distribution of data protection obligations between us and the operators. Details about the processing of personal data to create page insights and the agreement concluded between us and the operators can be found at the following links:

 

You also have the possibility to assert your rights against the operators. You can find more information about this under the following links:

We have agreed with Meta, LinkedIn and TikTok that the Irish Data Protection Commission is the lead supervisory authority overseeing processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see at www.dataprotection.ie) or any other supervisory authority.

 

  1. Communication via social media sites

We also process information that you have provided to us via our pages on the respective social media platform. Such information may be the username used, contact details or a message to us. This processing by us takes place as the sole responsible party. We process this data on the basis of our legitimate interest in contacting inquiring persons. The legal basis for the data processing is Art. 6 (1) f GDPR. Further data processing may take place if you have consented (Art. 6 (1) a GDPR) or if this is necessary for the fulfillment of a legal obligation (Art. 6 (1) c GDPR).

 

  1. Other data processing
  1. Applications

If you apply for a position at our foundation, we will process your application data exclusively for purposes related to your interest in current or future employment with us and the processing of your application. Your application will only be processed and noted by the relevant contact persons at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have provided for up to six months after any rejection for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence, or if you have expressly consented to longer storage. The legal basis for data processing is Section 26 (1) sentence 1 BDSG. If we store your applicant data beyond a period of six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Art. 7 (3) GDPR. Such revocation shall not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.

 

  1. Contact us by e-mail, telephone or fax

If you send us a message via the contact email provided, call us or send us a fax, we will process the transmitted data for the purpose of responding to your inquiry.

We process this data based on our legitimate interest to get in contact with inquiring persons. The legal basis for the data processing is Art. 6 (1) f GDPR.

 

  1. Cooperation and tenders

If you contact us in a business context, we process your contact and communication data for the establishment or implementation of the contractual relationship to the extent necessary. The legal basis for this processing is Art. 6 (1) f GDPR.

Further data processing may take place if you have consented (Art. 6 (1) a GDPR) or if this is necessary for the fulfillment of a legal obligation (Art. 6 (1) c GDPR).

 

  1. Seminars, conferences and events

We offer you various ways to register for our seminars, conferences and events. In doing so, we process your personal data such as name, address and contact details in order to manage the registrations and prepare the events. The data processing is necessary to provide the service and is also based on the legal basis of Art. 6 (1) b GDPR.

In the case of group registrations, we also process the name and, if applicable, contact details of the individual participants for the purpose of planning the event. This data processing is based on our legitimate interest according to Art. 6 (1) f GDPR.

At events where we offer food and drinks, you have the opportunity to inform us about allergies and intolerances. This is health data. By disclosing the information, you give us permission to process this data for consideration in the preparation of food and beverages. The legal basis is Art. 9 (2) a GDPR in conjunction with. Art. 6 (1) a GDPR. The consent is voluntary and can be revoked at any time. The data will be deleted after revocation or after the event.

 

  1. Cultural mediators/guides

For the realization of events and to convey the best of our exhibitions to you, we work with freelance cultural mediators/guides. They will guide you through the event and provide you with in-depth and unique cultural knowledge.

We transmit personal data to the cultural mediators only if this is necessary in the context of the contract, for example, to the cultural mediator commissioned with the implementation of event.

We have concluded a contract with all cultural mediators, which ensures that they only process the personal data of our participants according to our instructions and in compliance with the GDPR.

We transmit only the following data to the respective cultural mediator:

Name of group leader, size of group, age group, institution if applicable, name of institution, phone number, email address, address, which event was booked and for school classes the grade level.

The basis for the data processing is Art. 6 (1) b GDPR, which allows the processing of data for the performance of a contract or pre-contractual measures.