Status November 2023
Data protection is a top priority for SWIFT-ACT GmbH i.G. We know that careful handling of your personal information is important to you. That is why we treat your data confidentially in strict compliance with the applicable data protection regulations.
Below we explain which data we use on Instagram, at what time and for what purpose. Instagram is an online service for sharing photos and videos that belongs to Facebook.
We want you to understand how the services work and how we ensure the protection of your personal data, which is very important to us. We only use your personal data if we have your consent or legal permission to do so.
We would like to draw your attention to the fact that there is massive criticism of the way Facebook works and its data protection practices. One of the biggest data protection problems is that the NSA has access to Instagram and Facebook data through its programs such as PRISM and XKEYSCORE, according to the prevailing opinion in the specialist literature, and that no deletion periods are provided for this data. In this way, profiles of every person are to be permanently created at the NSA intelligence service. Facebook also uses the personal data from Instagram to combine it with Facebook and WhatsApp data as well as other data to enable profiling. At the same time, Facebook is one of the most important social media tools and many business people rely on working with Instagram (keyword “social proof”, for example). We try to make this as data protection compliant as possible by being transparent about it.
Table of contents
I. Principles of joint processing and contact details of the controller
II. Contact details of the data protection officer
III. General information on data processing at Instagram
IV. Purposes and legal bases
V. Categories of data
VI. Recipients of data
VII. Data transfers
VIII. Storage duration
IX. Automated decisions
X. Business profile
XI. Rights of the data subject
I. Principles of joint processing and contact details of the controller
1. Joint controllers for the processing of personal data
The purposes and means of processing personal data when visiting our Instagram page are jointly determined by SWIFT-ACT GmbH (i.Gr.) Kirschenweg 8, 42929 Wermelskirchen, Deutschland, 42929 Wermelskirchen (“[further designation for the company in continuous text]”) and Facebook Ireland Ltd (“Facebook”) within the meaning of Art. 26 of the EU General Data Protection Regulation (GDPR). This results from the fact that SWIFT-ACT GmbH (i.Gr.). as the operator of the Instagram page, gives Facebook, as the operator of the Instagram service, the opportunity to process personal data by setting up such an account.
Facebook assumes primary responsibility under the GDPR for the processing of Insights data as part of joint responsibility and fulfills all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). In addition, Facebook makes the essence of this Page Insights Addendum available to the data subjects (governed by the corresponding “Page Insights Controller Addendum”).
Below you will find a description of the handling of personal data by SWIFT-ACT GmbH (i.Gr.) and Facebook when you visit the Instagram account. However, since SWIFT-ACT GmbH (i.Gr.) generally or to a large extent has no influence on the data collected by Facebook and its processing by Facebook, we cannot currently provide any clear information on the purpose and scope of the processing of your data by Facebook. However, we will monitor further developments in this regard and adapt this privacy policy accordingly if necessary.
We would like to point out that you use the Instagram account and its functions on your own responsibility. This applies in particular to the use of interactive functions (such as commenting, sharing, rating).
2 Name and address of the joint controllers
a) The primary controller is:
Facebook Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland
b) The other responsible party is:
SWIFT-ACT GmbH (i.Gr.)
Kirschenweg 8,
42929 Wermelskirchen,
Germany
+2-0106-2621-177 +2-0155-2199-552
II. Contact details of the data protection officer
You can reach the data protection officer of the other controller SWIFT-ACT GmbH (i.Gr.) under 2.b) at
DataCo GmbH
Dachauer Street 65
80335 Munich
Munich, Germany
+49 89 7400 45840
www.dataguard.de
You can contact the data protection officer of Facebook Ireland via the online contact form provided on the Facebook platform.
III. General information on data processing by Instagram
1. Data processing by Facebook
The Instagram Privacy Policy specifies the categories of personal data that are processed when using Facebook products such as Instagram. The policy generally describes the purposes for which this data is used. And this policy lists the categories of recipients to whom this data is sent. You will also find information on the legal basis for the processing of this data as well as information on how you can withdraw your consent to the processing of personal data. In the policy you will find information on how you can exercise your rights of access, rectification, portability and erasure against Facebook Ireland. For more information about your control options, please refer to Instagram’s settings options or their help pages.
2. Cookies from Facebook
When you visit our Instagram page and your browser allows cookies to be stored, Facebook stores information in the form of small text files in your browser’s memory (hereinafter referred to as “cookies”) and can access this information when you visit the Instagram or Facebook platform. For more information on the purpose of the cookies used, the integration of these cookies by other websites and your control options in this regard, please refer to Facebook’s information on Instagram cookies.
We would like to point out that Facebook is able to track your user behaviour with the help of the cookies used. This applies both to those who are registered on the Instagram platform and to those who are not.
We would also like to point out that we have no influence on Facebook’s data processing in connection with cookies. It is also possible to visit our Instagram page if you configure your browser so that no cookies are stored by Facebook. Information on how to adjust the settings for cookies in your browser can usually be found in the help section of the browser you are using.
If you are registered or logged in to the Instagram or Facebook platform and want to prevent Facebook from linking your visit to our Instagram page to your Instagram or Facebook user account, you should log out of Instagram, delete the cookies on your device and close and restart your browser.
3. Data processing during interactions on our Instagram page
On our Instagram company page, you have the option of reacting to our posts, commenting on them and sending us messages. Please check what personal data you share with us via our Instagram company page. If you wish to prevent Facebook from processing the personal data you have submitted to us, please contact us using the contact details provided above.
In addition to the content you submit, information about your profile and posts will be visible to us, depending on your privacy settings. You can change this yourself using the Instagram settings.
As far as we can, your data processed by us will be deleted when our Instagram company page is closed. If this data continues to be stored by Facebook, it is based solely on the provisions of the Instagram Privacy Policy and Instagram’s Terms of Use.
IV. Purposes and legal bases
Your personal data is collected in order to communicate with customers and business partners of SWIFT-ACT GmbH (i.Gr.) to market the products and thereby develop better products for our customers.
The processing of your data when contacting or interacting with our Instagram account or its content is carried out by us on the basis of Art. 6 para. 1 sentence 1 point f GDPR. Our legitimate interest lies in responding to your inquiry or interacting with our customers in the context of social media marketing. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 sentence 1 point b GDPR.
We process the data provided by you in this context in order to protect our legitimate interests in customer communication. This also includes our legitimate interests in data processing in accordance with Art. 6 para. 1 sentence 1 point f GDPR.
V. Categories of data
The information that Facebooks processes:
– Device attributes: Information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.
– Processes on the device: Information about the operations and activities performed on the device, such as whether a window is in the foreground or background or mouse movements.
– Identifiers: Unique identifiers, device IDs and other identifiers, such as those of games, apps or accounts used, and family device IDs.
– Device signals: Bluetooth signals and information about nearby Wi-Fi access points, beacons and cell towers.
– Data from the device settings: Information from the device settings, such as access to GPS location, camera or photos.
– Network and connections: Information such as the name of the mobile or internet provider, language, time zone, cell phone number, IP address or connection speed and in some cases information about other nearby devices.
– Cookie data: Data from cookies stored on the device, including cookie IDs and settings.
VI. Recipients of data
The majority of personal data, such as photos, names or usernames, are made public by Instagram. Only direct Instagram messages to SWIFT-ACT GmbH (i.Gr.) are data that are not public in the context of this privacy policy. Your personal data will be passed on by SWIFT-ACT GmbH (i.Gr.) to internal employees of the marketing and sales department and, if necessary, to processors such as a marketing agency.
The transfer of data to third parties or authorities, such as the NSA, by Facebook is to be assumed and is described in their privacy policy and the specialist literature.
VII. Data transfers
The Instagram Privacy Policy explains Facebook’s data transfers to third countries and their legal basis.
There are no plans on the part of SWIFT-ACT GmbH (i.Gr.) to transfer data to third countries.
VIII. Storage period
In the Instagram Privacy Policy, you will also find information on the duration of the storage of personal data as well as information on the criteria for determining this duration and on the possibility of blocking or deleting Instagram accounts.
IX. Automated decisions
Instagram uses automated decisions to display content to users. Instagram recommends content that Instagram believes users will like. SWIFT-ACT GmbH (i.Gr.) is not aware of the underlying decision-making logic. The scope of the use of Instagram and other similar social media and its effects are large and can be used in mass surveillance systems and for deepfakes and other facial recognition systems.
X. Business Profile
The Instagram page of SWIFT-ACT GmbH (i.Gr.) is a business profile (hereinafter “Instagram business page” or “business presence”) and therefore has the Instagram Insights function. This means that part of the data collected by Facebook during use is made available to us as a statistical analysis in anonymized form. This statistical analysis only relates to users, content and activities on our Instagram page. The analysis specifically includes the following data
– Number of “likes” on our photos and videos
– Number of comments on our photos and videos
– Number of people who have seen a photo or video
– Number of times a photo or video has been shared
– Number of times a photo or video was reported as spam
– Number of times the user has clicked that they no longer like the page
This information transmitted by Facebook to the SWIFT-ACT GmbH (i.Gr.) is anonymized and cannot be linked by us to you as a user of the Instagram page. However, this does not mean that data collection and data processing by Facebook itself is anonymized.
On our Instagram company page, we provide information and offer Instagram users the opportunity to communicate. If you perform an action on our Instagram company page (e.g. comments, posts, likes, etc.), you may make personal data (e.g. real name or photo of your user profile) public. However, as we generally and to a large extent have no influence on the processing of your personal data by Facebook, we cannot provide any binding information on the purpose and scope of the processing of your data by Instagram or Facebook.
Our Instagram company page is used for communication and information exchange with (potential) customers and business partners. In particular, we use the company page for
- Products
- Competitions
- Employer branding
Publications on the company page may contain the following content
- Information about products
- competitions
- advertising
Every user is free to publish personal data through activities.
The data generated by the company page is not stored in our own systems.
You can object to the processing of your personal data that we collect in the context of your use of our Instagram company page at any time and/or assert your data subject rights mentioned under XI. of this privacy policy.
You must contact Instagram directly to assert your data subject rights against Facebook as set out in XI. of this Privacy Policy.
XI. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right of access
If your personal data is processed, you have the right to obtain information from the controller about the personal data stored about you (Art. 15 GDPR).
2. Right to rectification
If incorrect personal data is processed, you have the right to rectification (Art. 16 GDPR).
3. Right to erasure or restriction and objection
If the legal requirements are met, you can request the erasure or restriction of processing and object to processing (Art. 17, 18 and 21 GDPR).
4. Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged pursuant to Art. 19 GDPR to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
5. Right to data portability
If you have consented to the data processing or a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR).
6. Right to object
In accordance with Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 sentence 1 point e or f GDPR; this also applies to profiling.
7. Right to revoke the declaration of consent under data protection law
If you have consented to the processing by the controller by means of a corresponding declaration, you can revoke your consent at any time for the future. This does not affect the lawfulness of the data processing carried out on the basis of the consent until revocation.
8. Automated decision in individual cases including profiling
In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
9. Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
This privacy policy was created with the support of Data Guard.