The protection of personal data is very important to us. Therefore, we would like to inform you in the following comprehensively about the collection and use on our online offer. In doing so, we will try to use language that is as simple and understandable as possible.
1. Name and address of the responsible person and data protection officer
The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:
Green City Solutions GmbH
The data protection officer of the responsible person is:
PGP key for encrypted end-to-end communication
A controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
The controller verifies the permissibility of data processing through the use of technical and organizational measures that are subject to regular review.
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one whose identity can be determined, in particular by means of association with an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies). This also includes one or more special characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
Processing is any operation (or series of operations) performed upon personal data, whether or not by automated means. This therefore includes any handling of personal data such as collection, storage, modification, use, transmission, dissemination, erasure or destruction.
Pseudonymization is the processing of personal data in such a way that this data can no longer be unambiguously assigned to a data subject without the use of additional information. This additional information must be treated separately and be subject to technical and organizational measures that ensure that the personal data is no longer combined for identification purposes.
A processor is an entity (e.g. a natural or legal person e.g. company, authority, institution) that processes personal data on behalf of the controller.
A recipient is a natural or legal person, authority, body or other entity to which personal data are disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law are not considered recipients.
A third party is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.
Consent is an expression of informed and free (in this case data protection) self-determination.
It is an unequivocal expression of will in the form of a declaration or other unambiguous confirming action. With this declaration, the data subject indicates that he or she consents to the processing of personal data relating to him or her. Consent given in this manner may be revoked at any time.
3. Principles of data processing
As a matter of principle, we process your personal data only to the extent necessary to provide our online service. Your personal data is regularly processed only after you have given your consent or if the processing of the data is permitted by legal regulations.
Legal basis for the processing of personal data
In data protection, the basic concept of a prohibition with reservation of permission applies with regard to the processing of personal data. This means that processing is generally prohibited unless a legal permission allows the processing. We are obliged and also want to inform you about the legal basis for data processing.
If we obtain your consent for the processing of personal data, Art. 6 (1) lit. a DSGVO serves as the legal basis.
If processing operations are necessary for the performance of a contract concluded between you and us or for the implementation of pre-contractual measures, Art. 6 (1) lit. b DSGVO serves as the legal basis.
If the processing of personal data is necessary for the fulfillment of a legal obligation to which we are subject, such as legal retention and storage obligations, Art. 6 (1) lit. c DSGVO serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO is the legal basis.
If the processing is necessary to protect our or a third party’s legitimate interests and your interests, fundamental rights and freedoms do not override the former interest, the processing of personal data is legitimized by Art. 6 (1) lit. f DSGVO.
Disclosure of personal data to third parties and processors
We do not disclose personal data to third parties without your express consent. If, in the course of processing, we nevertheless disclose your data to third parties, transmit it to them or otherwise grant them access to the data, this is also done exclusively on the basis of one of the aforementioned legal grounds. If we are obliged to do so by law or by court order, we must transfer your data to bodies entitled to receive such information.
In some cases, we use carefully selected external service providers to process your data. If data is passed on to service providers as part of a so-called order processing, this is done on the basis of Art. 28 DSGVO. Our processors are carefully selected, are bound by our instructions and are regularly monitored by us. We only commission processors who provide sufficient guarantees that appropriate technical and organizational measures are taken in such a way that the processing is carried out in accordance with the requirements of DSGVO and BDSG-neu and ensures the protection of your rights.
Data transfer to third countries
When selecting our service providers and cooperation partners, we rely exclusively on European partners if your personal data is to be processed.
Deletion of data and storage period
As soon as the purpose for storage ceases to apply, we will delete or block your personal data. Beyond this, however, storage may take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which we are subject. This applies, for example, to data that must be retained for reasons of commercial or tax law, e.g. invoice data. Your data will be blocked or deleted if a storage period prescribed by these regulations expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
Existence of automated decision making
We do not use automated decision-making or profiling.
4. Your rights as a data subject
If personal data is processed by you, you are a data subject within the meaning of the GDPR. You are entitled to the following rights vis-à-vis us as the data controller:
Right to revoke a declaration of consent under data protection law.
If the processing of personal data is based on a granted consent, you have the right to revoke this consent at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Right to information
You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you can request information about the following:
- the purposes of processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed; in addition, in connection with transfers to a third country or an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR;
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to rectification or erasure of the personal data concerning you or to restriction of processing by us or a right to object to such processing;
- The existence of a right of appeal to a supervisory authority;
- if the personal data is not collected from you, any available information about the origin of the data;
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
We will provide you with a copy of the personal data that is the subject of the processing within one month of receiving your request for information. For any additional copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, we will provide you with the information in a commonly used electronic format unless you specify otherwise.
Right to rectification
You have the right to request that we correct your personal data without undue delay if it is inaccurate. Taking into account the purposes of the processing, you have the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
Right to erasure (“right to be forgotten”)
You have the right to request that we erase personal data concerning you without undue delay, and we are obliged to erase personal data without undue delay, if one of the following reasons applies:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which the processing was based and there is no other legal basis for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
- The personal data have been processed unlawfully.
- The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law.
- The personal data has been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.
If we have made the personal data concerning you public and we are obliged to erase it, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers who process the personal data that you have requested that they erase all links to or copies or replications of that personal data.
The right to erasure (“right to be forgotten”) does not exist to the extent that the processing is necessary:
- for the exercise of the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) DSGVO, insofar as the right to erasure is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
- for the assertion, exercise or defense of legal claims.
Right to restriction of processing
You have the right to request us to restrict the processing of your personal data if one of the following conditions is met:
- You dispute the accuracy of the personal data concerning you for a period of time that allows us to verify the accuracy of the personal data;
- the processing is unlawful and you request the restriction of the use of the personal data instead of erasure;
- we no longer need the personal data for the purposes of processing, but you need it for the assertion, exercise or defense of legal claims; or
- You have objected to the processing as long as it has not yet been determined whether our legitimate grounds override your grounds.
Where processing has been restricted in accordance with the above conditions, such personal data shall – apart from being stored – only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on consent or on a contract and is carried out with the help of automated processes.
In exercising the right to data portability, you may obtain that the personal data be transferred directly from us to another controller, where this is technically feasible. The exercise of the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing necessary for the performance of a task entrusted to us, in the public interest or in the exercise of official authority.
Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO. This also applies to profiling based on these provisions. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If personal data are processed for the purpose of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
In connection with the use of information society services, notwithstanding the ePrivacy Directive, you may exercise your right to object by means of automated procedures using technical specifications.
Automated decisions in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for the conclusion or performance of a contract between you and us,
- is permitted by legal provisions of the Union or the member states to which we are subject and these legal provisions contain appropriate measures to protect your rights and freedoms as well as your legitimate interests, or
- Is done with your express consent.
We take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, which include, at a minimum, the right to obtain the intervention of a person responsible, to express your point of view and to contest the decision.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. You can find the supervisory authority responsible for us here:
The State Commissioner for Data Protection and for the Right to Inspect Files.
Stahnsdorfer Damm 77
5. Concretely collected personal data
The following subsections list those data that we, or our contractors, collect from you and how it is used.
Hosting service provide
We use the service provider MyRaidBoxes.de to provide the necessary server infrastructure and software. A contract for order data processing has been concluded with this service provider. The service provider only uses computer systems for our website that are deployed by European companies in the European legal area of the GDPR.
Data collection when visiting our website
When you visit our website, our hosting service provider collects the following data, which is technically necessary to display our websites and to ensure stability and security:
- IP address of the user
- Date and time of the request
- Content of the request (specific page)
- access status/HTTP status code
- amount of data transferred in each case
- Website from which the request comes (if your browser transmits this)
- Operating system of the user (if transmitted by your browser)
- Language and version of the browser software (if transmitted by your browser).
This data is temporarily stored in the log files of the hosting provider’s system for a maximum of 7 days.
A storage of the log files together with other personal data concerning you does not take place in this context. The legal basis for these processing operations is Art. 6 para. 1 lit. f DSGVO.
Since the collection of data to display the websites and the storage of the data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no possibility to object in this respect.
On our website you will find contact forms and e-mail links (mailto), which can be used for electronic contact. In this way, we fulfill, among other things, the legal requirement to enable rapid electronic contact with us. If you use this option, your information will be processed and automatically stored for the purpose of responding to the inquiry in accordance with Art. 6 Para. 1 lit. c DSGVO. We delete the inquiries if they are no longer required and no legal archiving obligations apply.
The information entered in the contact form is transferred to our ticketing system using a continuously transport-encrypted email connection. We use the service provider Intero Technologies GmbH for this purpose. A contract for order data processing has been concluded with this service provider. The service provider only uses computer systems for the services we hire, which are used by European companies in the European legal area of the DSGVO.
Our online offer contains links to other websites. We have no influence on whether their operators comply with data protection regulations.