The protection of personal data is very important to us. Therefore, we would like to inform you in the following comprehensively about the collection and use on our online offer. In doing so, we will try to use language that is as simple and understandable as possible.
1. Name and address of the responsible person and data protection officer
The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:
Green City Solutions GmbH
The data protection officer of the responsible person is:
Data protection department
PGP key for encrypted end-to-end communication
A controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
The controller verifies the permissibility of data processing through the use of technical and organizational measures that are subject to regular review.
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one whose identity can be determined, in particular by means of association with an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies). This also includes one or more special characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Processing is any operation (or series of operations) performed upon personal data, whether or not by automated means. This therefore includes any handling of personal data such as collection, storage, modification, use, transmission, dissemination, erasure (a change of a date, which then no longer allows a personal reference) or the destruction (removal of a date from the data stock, without the possibility of recovery).
Pseudonymization is the processing of personal data in such a way that this data can no longer be unambiguously assigned to a data subject without the use of additional information. This additional information must be treated separately and be subject to technical and organizational measures that ensure that the personal data is no longer combined for identification purposes.
A processor is an entity (e.g. a natural or legal person e.g. company, authority, institution) that processes personal data on behalf of the controller.
A recipient is a natural or legal person, authority, body or other entity to which personal data are disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not considered recipients.
A third party is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.
Consent is an expression of informed and free (in this case data protection) self-determination.
It is an unequivocal expression of will in the form of a declaration or other unambiguous confirming action. With this declaration, the data subject indicates that he or she consents to the processing of personal data relating to him or her. Consent given in this manner may be revoked at any time.
Third countries are countries that do not originate from the legal area of the EU and are therefore only subject to the GDPR on a subordinate basis because national provisions could take precedence over the GDPR.
Unsafe third country
A so-called unsafe third country according to the GDPR (or also an international organization that is subject to the legal system of this unsafe third country) is a country for which the EU Commission has not yet determined that data protection there is to be classified as equivalent to that of the EU (and thus the GDPR). It is the responsibility of the controller to check which legal situation exists with regard to the processing of personal data in such a third country and whether processing can be carried out safely.
Unsafe third country USA
In its judgment of 16.07.2020, Case No. C-311/18, the EU Court of Justice determined that no protection of personal data equivalent to the GDPR exists in the USA. The ruling thus not only establishes that the previously existing equivalence decision (called Privacy Shield) was unlawful, but goes even further and establishes that access to personal data by US authorities under the US FISA and Cloud Act regulations cannot be brought into line with those of the GDPR.
In the case of data transfers to US companies that are subject to the jurisdiction of the US, access by US authorities must therefore be assumed. In this regard, it does not matter whether or not the servers on which personal data is processed or stored are located within the EU, as US authorities can also access data within the EU (and then transfer it to the US).
Since it remains unclear for the individual case how US authorities use personal data, no blanket statement can be made about the consequences. Conceivable are, for example, more difficult entry conditions for you or also the lack of effective legal protection against the processing of your personal data and its consequences.
3. Principles of data processing
As a matter of principle, we process your personal data only to the extent necessary to provide our online service. Your personal data is regularly processed only after you have given your consent or if the processing of the data is permitted by legal regulations.
Legal basis for the processing of personal data
In data protection, the basic concept of a prohibition with reservation of permission applies with regard to the processing of personal data. This means that processing is generally prohibited unless a legal permission allows the processing. We are obliged and also want to inform you about the legal basis for data processing.
If we obtain your consent for the processing of personal data, Art. 6 (1) lit. a DSGVO serves as the legal basis.
If processing operations are necessary for the performance of a contract concluded between you and us or for the implementation of pre-contractual measures, Art. 6 (1) lit. b DSGVO serves as the legal basis.
If the processing of personal data is necessary for the fulfillment of a legal obligation to which we are subject, such as legal retention and storage obligations, Art. 6 (1) lit. c DSGVO serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO is the legal basis.
If the processing is necessary to protect our or a third party’s legitimate interests and your interests, fundamental rights and freedoms do not override the former interest, the processing of personal data is legitimized by Art. 6 (1) lit. f DSGVO.
Disclosure of personal data to third parties and processors
We do not disclose personal data to third parties without your express consent. If, in the course of processing, we nevertheless disclose your data to third parties, transmit it to them or otherwise grant them access to the data, this is also done exclusively on the basis of one of the aforementioned legal grounds. If we are obliged to do so by law or by court order, we must transfer your data to bodies entitled to receive such information.
In some cases, we use carefully selected external service providers to process your data. If data is passed on to service providers as part of a so-called order processing, this is done on the basis of Art. 28 DSGVO. Our processors are carefully selected, are bound by our instructions and are regularly monitored by us. We only commission processors who provide sufficient guarantees that appropriate technical and organizational measures are taken in such a way that the processing is carried out in accordance with the requirements of DSGVO and BDSG-neu and ensures the protection of your rights.
Data transfer to third countries
If we use service providers of unsafe third countries, these are explicitly listed under Chapter 5 and any use is exclusively limited in time and in accordance with the principles of Article 49 of the GDPR.
Existence of automated decision making
We only perform automated decision making or profiling using the services we use if you have given your consent to do so. Which of the services we use make such a decision and how profiling is specifically carried out can be found listed for each service in Chapter 5.
Deletion of data and storage period
As soon as the purpose for storage ceases to apply, we will delete or block your personal data. Beyond this, however, storage may take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject. This applies, for example, to data that must be retained for reasons of commercial or tax law, e.g. invoice data. Your data will be blocked or deleted if a storage period prescribed by these regulations expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
Existence of automated decision making
We do not use automated decision-making or profiling.
4. Your rights as a data subject
If personal data is processed by you, you are a data subject within the meaning of the GDPR. You are entitled to the following rights vis-à-vis us as the data controller:
Right to revoke a declaration of consent under data protection law.
If the processing of personal data is based on a granted consent, you have the right to revoke this consent at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Right to information
You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you can request information about the following:
- the purposes of processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed; in addition, in connection with transfers to a third country or an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to rectification or erasure of the personal data concerning you or to restriction of processing by us or a right to object to such processing;
- The existence of a right of appeal to a supervisory authority;
- if the personal data is not collected from you, any available information about the origin of the data;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
We will provide you with a copy of the personal data that is the subject of the processing within one month of receiving your request for information. For any additional copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, we will provide you with the information in a commonly used electronic format unless you specify otherwise.
Right to rectification
You have the right to request that we correct your personal data without undue delay if it is inaccurate. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
Right to erasure (“right to be forgotten”)
You have the right to request that we erase personal data concerning you without undue delay, and we are obliged to erase personal data without undue delay, if one of the following reasons applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which the processing was based and there is no other legal basis for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing.
- The personal data have been processed unlawfully.
- The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law.
- The personal data has been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.
If we have made the personal data concerning you public and we are obliged to erase it, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers who process the personal data that you have requested that they erase all links to or copies or replications of that personal data.
The right to erasure (“right to be forgotten”) does not exist to the extent that the processing is necessary:
- for the exercise of the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) DSGVO, insofar as the right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
- for the assertion, exercise or defense of legal claims.
Right to restriction of processing
You have the right to request us to restrict the processing of your personal data if one of the following conditions is met:
- You dispute the accuracy of the personal data concerning you for a period of time that allows us to verify the accuracy of the personal data;
- the processing is unlawful and you request the restriction of the use of the personal data instead of erasure;
- we no longer need the personal data for the purposes of processing, but you need it for the assertion, exercise or defense of legal claims; or
- You have objected to the processing as long as it has not yet been determined whether our legitimate grounds override your grounds.
Where processing has been restricted in accordance with the above conditions, such personal data shall – apart from being stored – only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on consent or on a contract and is carried out with the help of automated processes.
In exercising the right to data portability, you may obtain that the personal data be transferred directly from us to another controller, where this is technically feasible. The exercise of the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing necessary for the performance of a task entrusted to us, in the public interest or in the exercise of official authority.
Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO. This also applies to profiling based on these provisions. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If personal data are processed for the purpose of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
In connection with the use of information society services, notwithstanding the ePrivacy Directive, you may exercise your right to object by means of automated procedures using technical specifications.
Automated decisions in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for the conclusion or performance of a contract between you and us,
- is permitted by legal provisions of the Union or the member states to which we are subject and these legal provisions contain appropriate measures to protect your rights and freedoms as well as your legitimate interests, or
- Is done with your express consent.
We take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, which include, at a minimum, the right to obtain the intervention of a person responsible, to express your point of view and to contest the decision.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. You can find the supervisory authority responsible for us here:
The State Commissioner for Data Protection and for the Right to Inspect Files.
Stahnsdorfer Damm 77
5. Concretely collected personal data
The following subsections list those data that we, or our contractors, collect from you and how it is used.
Hosting service provide
We use the service provider MyRaidBoxes.de to provide the necessary server infrastructure and software. A contract for order data processing has been concluded with this service provider. The service provider only uses computer systems for our website that are deployed by European companies in the European legal area of the GDPR.
Data collection when visiting our website
When you visit our website, our hosting service provider collects the following data, which is technically necessary to display our websites and to ensure stability and security:
- IP address of the user
- Date and time of the request
- Content of the request (specific page)
- access status/HTTP status code
- amount of data transferred in each case
- Website from which the request comes (if your browser transmits this)
- Operating system of the user (if transmitted by your browser)
- Language and version of the browser software (if transmitted by your browser).
This data is temporarily stored in the log files of the hosting provider’s system for a maximum of 7 days.
A storage of the log files together with other personal data concerning you does not take place in this context. The legal basis for these processing operations is Art. 6 para. 1 lit. f DSGVO.
Since the collection of data to display the websites and the storage of the data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no possibility to object in this respect.
We count which subpages of our website have been accessed, how often and when. For this purpose, we use the software Matomo, which runs on the same system as the website. Matomo is set to count only the accesses to a specific subpage of our website, without using any other personal data. No personal data is stored in this context.
On our website you will find contact forms and e-mail links (mailto), which can be used for electronic contact. In this way, we fulfill, among other things, the legal requirement to enable rapid electronic contact with us. If you use this option, your information will be processed and automatically stored for the purpose of responding to the inquiry in accordance with Art. 6 Para. 1 lit. c DSGVO. We delete the inquiries if they are no longer required and no legal archiving obligations apply.
The information entered in the contact form is transferred to our ticketing system using a continuously transport-encrypted email connection. We use the service provider Intero Technologies GmbH for this purpose. A contract for order data processing has been concluded with this service provider. The service provider only uses computer systems for the services we hire, which are used by European companies in the European legal area of the DSGVO.
Some of our contact forms are provided by third-party providers. These are also described under the following specific providers and are only activated after consent. Such contact forms contain a separate disclosure and consent, if processing by companies from insecure third countries.
As HubSpot is a company from the USA, the processing of personal data in accordance with Article 49 of the GDPR is only permitted in exceptional cases, in this case with consent. Since this precludes permanent processing, we will use HubSpot until 30.10.2022 and delete all data after this date of use.
HubSpot and we process all data that you enter in a contact form, enter when registering for newsletters or which is transmitted to us through a contact via HubSpot.
In addition, HubSpot processes the following information for its own purposes:
- Date and time of contact with us, e.g. via forms or by clicking on links to HubSpot.
- IP address of your end device at the time of use, e.g. to carry out geolocation or identification of your internet service provider.
- All data sent by your browser itself (e.g. language preferences, operating system, browser provider)
- Linking to previous visits to websites that also use HubSpot to perform profiling and improve its services.
- Link to data from all other parts of HubSpot’s business (e.g. PieSync, The Hustle).
- HubSpot uses all personal data available to it to optimise and advise on its services. Machine learning algorithms are also applied to your data at HubSpot.
- HubSpot transfers your personal data to its headquarters in the USA, even if Europe was chosen as the server location.
- All usage data is also transmitted (in anonymised form) to other service providers for evaluation.
- HubSpot also obtains data from advertising networks and links this information with your data held by HubSpot in order to improve its services.
Linking to your social media accounts, email accounts and other account types if you accessed HubSpot through them.
The aforementioned processing takes place in all services (e.g. forms, landing pages, newsletters, etc.) of the company, provided that there is a technical possibility to do so.
We explicitly point this out to you before you use such a service and request your consent.
Cookies are also used technically to track your activities.
You can find more detailed information on the processing by HubSpot in their data protection provisions.
Integrations of further providers through Hubspot
HubSpot allows the information used there to be shared/linked with additional providers. The following integrations are used by us:
Calendly helps us to arrange appointments with you. Through the link, all of your data that Hubspot stores as part of a contact is transferred to Calendly. This includes, for example, all data that comes from third-party providers, such as location data, all personal data (e.g. address) and historical history data. Calendly itself also transfers your personal data for the purposes of its own analysis and provision of its services to:
- Google Analytics
Cookies are also used technically to track your activities.
Eventbrite is also a company from the USA. Therefore, the same conditions of use apply as those described above for Hubspot.
Eventbrite helps us to plan our own events and make them bookable. Through the link, all of your data that Hubspot stores as part of a contact is transferred to Eventbrite. This includes, for example, all data that originates from third-party providers, such as location data, all personal data (e.g. address) and historical history data.
Eventbrite uses this data for, among other things:
- its own internal business purposes
- Profiling to show you customised ads from its advertising partners or to show you events that are right for you
- demographic analysis of your interests and behaviours
Cookies are also used technically to track your activities.
Mailchimp uses this data for, among other things:
- Tracking whether and when you have opened a newsletter
- Geolocation through transmission of the IP address or other data
- Tracking which link you have opened from the newsletter and when, which browser you are using and which settings (e.g. language) it has.
Mailchimp itself also transfers your personal data to Akamai, Massachusetts, USA for the purposes of its own analysis and provision of its services:
- Akamai, Massachusetts, USA
- Amazon, Washington, USA
- CodeScience, Tennessee, USA
- E-Hawk, New York, USA
- El Camino, California, USA
- Finc3, Hamburg, Germany
- Fivetran, California, USA
- Google, California, USA
- Looker, California, USA
- Percona, North Carolina, USA
- R. Donnelley, Illinois, USA
- SC Wedis Company SRL, Târgu Mureș, Romania
- Slack, California, USA
- SmartyStreets, Utah, USA
- TaskUs, USA and Greece
- TaxJar, Massachusetts, USA
- Two Bulls, New York, USA
- Tyrannosaurus Tech, Georgia, USA
- Vextras LLC, Tennessee, USA
- Zendesk, California, USA
Cookies are also technically used to track your activities.
Our website integrates the services of the US company Instagram to show you our information from this social network. In the process, at least your IP address is transmitted once (or only if you visit our site and have activated this) to an unsecure third country.
Instagram uses this information for:
- Profiling you (including age, preferences, gender) to show you advertisements
- Measure the success of its own services
- Tracking across multiple websites, for profiling purposes.
Instagram shares all information with all other participating companies of the Meta Group (e.g. Facebook, WhatsApp, Oculus).
If you are logged in to Instagram via one of your Meta Group accounts when you visit our website, Instagram uses the information that you have viewed our feed in accordance with the privacy settings you selected for the Meta Group service (e.g. for profiling, for its own analyses, advertising partners).
Cookies are also used technically to track your activities.
Our online offer contains links to other websites. We have no influence on whether their operators comply with data protection regulations.