1. Responsibility for the Processing of Your Personal Data (Controller)
Foundation myclimate – The Climate Protection Partnership
are the “controller” who is responsible for processing your personal data in the meaning of Art. 4 no. 7 GDPR. You can contact our data protection officer at firstname.lastname@example.org oor via our mail address, attention of “data protection officer”.
2. Personal Data
The term “personal data” includes your personal details (such as your name, date of birth, address, citizenship), your identification data (e.g. your passport details), your order data including your e-mail address, your technical connection data (e.g. your IP address), your account and payment data (depending on the payment type), advertising and sales data and other comparable data.
3. Collection of Your Personal Data
In connection with the processing of your personal data, we make a distinction between data we collect directly from you and data that we receive from other sources.
3.1. Personal data that we collect from you:
3.1.1. If you are our customer, we will process the personal data you share with us when you contact us (e.g. via contact form, by e-mail or via your customer account). For example, this includes your name and e-mail address. This is done for the performance of the contract concluded with you pursuant to point (b) of Art. 6 (1) GDPR.
3.1.2. When using our online zone via your customer account by means of a compensation or donation for a climate protection project and the associated contract conclusion, we process the personal data you share with us, which are required for the initiation of this contract via our online zone, for its performance and, if applicable, for the provision of a warranty or for the unwinding of the contract (point (b) of Art. 6 (1) GDPR). Among other things, the processed data include your address, your date of birth and your account/payment data. During the electronic order process, your technical connection data are collected as well. Erasure of your customer account is possible whenever you wish. This can be done by means of a message to email@example.com using a function for this purpose in the customer account.
We may also process the data you specify for the purpose of informing you by mail about other interesting products from our portfolio. The legal basis for this is point (f) of Art. 6 (1) GDPR.
3.1.3. If you access and use our website for information only, we will only collect data that are automatically transmitted by your web browser. For example, this includes the date and time of the access to our website, the transmitted data volume, the website from which the request originates, the browser type, browser settings and your IP address. These access data are only analysed for the purpose of ensuring smooth operation of the website and improving our offer. This takes place on the basis of our legitimate interest in the correct presentation of our offering pursuant to point (f) of Art. 6 (1) GDPR.
3.1.4. If you are a legal representative or employee of one of our customers, your personal data may be collected if you act on behalf or by order of our customer in the business relationship with us. This is done for the purpose of initiating or performing the contract concluded with you pursuant to point (b) of Art. 6 (1) GDPR
3.1.5. We also collect and process personal data for the purpose of processing applications (legal basis: point (b) of Art. 6 (1) GDPR). The processing may also take place electronically if you as the applicant send us application documents by e-mail. In the event we conclude an employment contract with you upon completion of the application procedure, we will store the transmitted data for the purpose of handling the employment relationship under consideration of the statutory regulations. If no employment contract is concluded, the electronically submitted application documents will be deleted, unless the deletion would conflict with other legitimate interests. Moreover, we may retain them if the applicant agrees to the continued retention for possible later consideration.
3.2. Personal Data We Receive from External Sources
We may also use personal data lawfully collected by another controller and that are lawfully transmitted to us, e.g. publicly accessible information. This includes lists of debtors, public registers such as insolvency announcements or information from the commercial register as well as from the media and Internet.
4. Transmission of Your Personal Information to Third Parties
We will transmit your personal data to commissioned service providers in Germany and abroad insofar as this is necessary for economic or technical reasons. We will carefully select the respective service provider to this end, conclude a processing contract pursuant to Art. 28 GDPR and check him carefully. For the purpose of outsourcing certain business process, we have a legitimate interest in concluding processing contracts with the respective service provider pursuant to point (f) of Art. 6 (1) GDPR.
4.2. Moreover, we may transmit your personal data to companies affiliated with us, i.e. group companies. We have a legitimate interest in forwarding the data to our group companies for internal administration purposes pursuant to point (f) of Art. 6 (1) GDPR.
4.3. Your personal data that are collected via the customer database are stored on the server of Nine Internet Solutions AG, Albisriederstrasse 243a, 8047 Zürich, Switzerland and/or of Swisscom (Switzerland) Ltd, Enterprise Customers, Müllerstrasse 16, 8005 Zürich, Switzerland and forwarded to these for this purpose. This is done on the basis of processing contracts concluded with Nine Internet Solutions AG and Swisscom (Switzerland) Ltd pursuant to Art. 28 GDPR, in which we have a legitimate interest in the meaning of point (f) of Art. 6 (1) GDPR.
4.4. Your data, which are generated directly via our website, are sent to AgenturWebfox GmbH, Einsteinufer 63, Einstein-Höfe, Court 1, level 2, 10587 Berlin, Germany, which stores it on the servers of Hetzner Online GmbH.
4.6. For the purpose of performing the contract pursuant to point (b) of Art. 6 (1) GDPR, we may also transmit your personal data to any party to which we assign rights resulting from the contractual relationship with you.
4.8. Our webshop uses the 3-D Secure 2.0 procedure. This is necessary to comply with the PSD2 directive, which regulates all financial institutions in the EU. With this procedure, the following data of the webshop user is now transmitted to the card organizations: Device information and browser information.
5. Forwarding of Your Personal Data to Third Countries
Where your data are transmitted to a third country, we make sure that the data are only transmitted to countries with an adequate level of protection in the meaning of Art. 45 (1) GDPR or that the controller domiciled in the respective third country has established suitable data protection safeguards. For example, these safeguards could be
5.1. binding corporate data protection rules pursuant to Art. 47 GDPR; or
5.2. standard contractual clauses issued by the European Commission in accordance with the examination procedure referred to in Art. 93 (2) GDPR.
6.1. With your consent, you can subscribe to our newsletter, in which we inform you about our current offers, climate protection and education projects, our partners and our company. The legal basis for this is point (a) of Art. 6 (1) sentence 1 GDPR.
6.2. For the subscription to our newsletter, we use the so-called double opt-in procedure. This means that following your subscription, we send an e-mail to the specified e-mail address, asking you for confirmation that you wish to receive the newsletter. If you do not confirm your subscription within 24 hours, your information will be blocked and automatically erased after one month. Apart from this, we store your respective IP addresses as well as the times of subscription and confirmation. The purpose of this procedure is to be able to furnish evidence of your subscription and, if necessary, to clarify any abuse of your personal data.
6.3. For the delivery of the newsletter, the specification of your e-mail address, country and language is mandatory. The specification of further, separately marked data is voluntary; these data are used to address you personally. Following your confirmation, we will store your e-mail address for the purpose of sending you the newsletter.
6.4. You can withdraw your consent to the delivery of the newsletter and unsubscribe from the newsletter whenever you wish. You can do this by sending a message to firstname.lastname@example.org or by using the link provided for this purpose in the newsletter.
6.5. Please note that when delivering the newsletter, we analyse your user behaviour. For this analysis, the transmitted e-mails contain so-called web beacons or tracking pixels, i.e. one-pixel image files that are stored on our website. For the analysis, we map the data specified in section 3.1.3. (data when using the website for information) and the web beacons to your e-mail address and an individual ID. The links transmitted in the newsletter also contain this ID. Based on these data, we create a user profile in order to custom-tailor the newsletter to your individual interests. In this context, we ascertain when you read our newsletters and which links you click in it; on this basis, we derive conclusions regarding your personal interests. We combine these data with the actions you perform on our website.
6.6. You can object to this tracking at any time by clicking the separate link that is provided in every e-mail or by informing us via another contact method. The information will be stored for as long as your newsletter subscription continues. If you unsubscribe, we will only store the data statistically and anonymously.
7.1. Additionally, cookies will be stored on your computer when you use our website. Cookies are little text files that are associated with the browser you use and stored on your hard disk, through which the party that sets the cookie (i.e. we) receives certain information. Cookies cannot run any programs or transfer viruses to your computer. They merely serve the purpose of making the website as a whole more user-friendly and effective.
7.2. This website uses transient and persistent cookies, whose scope and functionality are explained below:
7.2.1. Transient cookies are deleted automatically when you close the browser. This especially includes session cookies. These cookies store a so-called session ID with which various requests of your browsers can be allocated to the joint session. In this way, your computer can be recognised when you return to our website. Session cookies are deleted upon logout or when you close the browser.
7.2.2. Persistent cookies are deleted automatically after a predefined period that may vary depending on the cookie. You can delete the cookies in your browser’s security settings whenever you wish.
7.3. You can configure your browser settings according to your preferences and e.g. refuse to accept third-party cookies or all cookies. Please note that if you do so, you might not be able to use all functions of this website.
8. Use of Web Analysis Tools
8.1. Google Analytics
8.1.2. The IP addresses sent by your browser within the scope of Google Analytics will not be consolidated with other data of Google.
8.1.3. You can prevent the storage of cookies by configuring your browser software accordingly; in this case, however, you might not be able to use all functions of this website. Moreover, you can prevent the collection of data concerning your use of the website (including your IP address), which are generated by the cookie, and the processing of these data by Google by downloading and installing the browser plug-in that is available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de
8.1.4. This website uses Google Analytics with the “_anonymizeIp()” extension. In this way, IP addresses are further processed in truncated form, making it impossible to allocate them to specific persons. Where the data collected about you could be allocated to you, this is made impossible immediately, and the personal data are thus erased immediately.
8.1.5. We use Google Analytics in order to analyse the use of our website and continually improve it. The statistics we gain enable us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Google Analytics is point (f) of Art. 6 (1) GDPR.
For the exceptional cases in which personal data are transmitted to the USA, Google participates in the EU-US Privacy Shield. For information, see https://www.privacyshield.gov/EU-US-Framework
9. Internet Advertising
9.1. Google AdWords
9.1.1. We use the Google AdWords service in order to draw attention to our offers and effective climate protection by means of advertisements (so-called Google AdWords) on external websites. We can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In this way, we pursue the legitimate interest pursuant to point (f) of Art. 6 (1) GDPR to show you information and ads that are of interest to you, to make our website more attractive for you and to achieve fair calculation of advertising costs.
9.1.2. These advertisements are delivered by Google via ad servers. For this, we use ad server cookies, which can measure certain success measurement parameters such as the display of ads or user clicks. If you reach our website via a Google ad, Google AdWords will store a cookie on your PC. These cookies usually expire after 30 days and are not used to identify you personally. For this cookie, the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) as well as opt-out information (indication that the user no longer wants to be addressed) are stored as analysis values.
9.1.3. These cookies enable Google to recognise your Internet browser. If a user visits certain pages of the website of an AdWords customer and the cookie stored on his computer has not yet expired, Google and the customer can see that the user has clicked the ad and has been redirected to the respective page. A different cookie is assigned to every AdWords customer. Thus, cookies cannot be tracked via the websites of AdWords customers. In the context of the said advertising measures, we do not collect and process any personal data. Google merely provides us with statistical analyses. Based on these analyses, we learn which of the advertising measures used are especially effective. We do not receive any further data from the use of the ads; in particular, we cannot identify users on the basis of this information.
9.1.4. Due to the marketing tools used, your browser will automatically establish a direct connection to the Google server. The scope and further use of the data collected by Google due to this tool is beyond our control and we are thus informing you about what we do know: Through the embedding of AdWords Conversion, Google is informed that you have accessed the respective part of our website or clicked one of our ads. If you are registered with a Google service, Google can map the visit to your account. Even if you are not registered with Google or not logged in, the provider may learn and store your IP address.
9.1.5. You can prevent the participation in this tracking procedure in various ways:
9.1.6. The legal basis for the processing of your data is point (f) of Art. 6 (1) sentence 1 GDPR. Further information on the data protection at Google is available here: https://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the website of Network Advertising Initiative (NAI) at https://www.networkadvertising.org. Google participates in the EU-US Privacy Shield; https://www.privacyshield.gov/EU-US-Framework.
9.1.7. In connection with our use of the Google AdWords offer, the Google Grants program is also used. Google Grants provides free advertising to eligible non-profit organisations worldwide. Google Grants thus helps non-profit organisations like us to use AdWords in order to reach persons who use the Google search engine to find information that is relevant to such organisations.
9.2. Google Remarketing
9.2.1. We use Google Remarketing. This is a procedure for addressing you anew. This application enables the display of our ads as you continue using the Internet after visiting our website. This is done with the help of cookies stored in your browser, by means of which Google collects and analyses your user behaviour when visiting various websites. In this way, Google can identify your previous visit to our website. According to Google, the data collected in the context of remarketing is not associated with your personal data that may be stored by Google. In particular, Google points out that pseudonymisation is used for remarketing.
9.2.2. For the exceptional cases in which personal data are transmitted to the USA, Google participates in the EU-US Privacy Shield. For information, see https://www.privacyshield.gov/EU-US-Framework.
9.3. Microsoft Bing Ads
9.3.1 On our pages we use the Conversion Tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Bing Ads will place a cookie on your computer if you access our website www.myclimate.org via a Microsoft Bing ad. This allows Microsoft Bing and myclimate to identify if someone has clicked on an ad, has been redirected to our website and has reached a previously defined target page (conversion page). We only see the total number of users who clicked on a Bing ad and were then redirected to the conversion page. No personal information about the the user is disclosed./p>
9.3.2 If you do not want information as described above to be used by Microsoft, you can prevent the setting of a cookie required for this purpose – for example, by using a browser setting that generally deactivates the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website and the processing of this data by Microsoft by clicking on the following link: http://choice.microsoft.com/de-DE/opt-out to declare your objection. Further information on data protection and the cookies used at Microsoft and Bing Ads can be found on the Microsoft website at https://privacy.microsoft.com/de-de/privacystatement
10. Connection to Social Media
10.1. Use of Social Media Plugins
10.1.1. We currently use the following social media plugins: Facebook, Google+, Twitter, Instagram, LinkedIn. To increase the protection of your data when visiting our website, the plugins are not fully embedded on the page, but merely using an HTML link (so-called “Shariff” solution of c’t). This makes sure that when a page of our website that contains such plugins is accessed, no connection is immediately established to the servers of the respective social network provider. If you click one of the buttons, a new browser window will open up with the page of the respective service provider, on which you can click the “Like” or “Share” button (possibly after entering your login details).
10.1.2. By way of the plugins, we enable you to interact with the social networks and other users. This helps us to improve our offering and make it more interesting for you as the user. The legal basis for the use of plugins is point (f) of Art. 6 (1) sentence 1 GDPR.
10.1.3. If you do not want the respective social networks to generate data about you via our website, you can take the following measure: Simply log out from the social networks before visiting our website or other websites.
10.1.4. Further information on the purpose and scope of the collection of data and their processing by the plugin providers is available in the privacy policies of these providers as shown below. There, you can also see further information on your rights in this regard and on the configuration options to protect your privacy.
10.1.5. Addresses of the plugin providers and URL of their privacy policies:
10.2.1. We have embedded YouTube videos on our website, which are stored at https://www.YouTube.com and can be played directly from our website. All these videos are embedded in the “privacy-enhanced mode”, i.e. no data about you as a user will be transmitted to YouTube as long as you do not play the videos. The data specified in section 10.2.2. will only be transmitted if you play the videos. This data transmission is beyond our control.
11. Retention Periods and Criteria for the Retention of Your Personal Data
All processed personal data will only be stored for as long as and to the extent necessary for the performance of our contractual and statutory obligations. For accounting reasons and due to statutory retention obligations, we usually retain collected personal data for 10 years. Longer statutory retention obligations or reasons may apply. For the delivery of our newsletter, we will store your e-mail address until you unsubscribe from the newsletter. All technical access data collected when visiting our website for information only are erased no later than seven days after the end of your visit to our site.
12. Security Measures
12.1. Pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia appropriate measures to ensure the confidentiality, integrity and availability of data by controlling the physical and system access to the data as well as the input, forwarding, protection of the availability and separation of the data. Furthermore, we have established processes to ensure the exercise of the rights of the data subjects, erasure of data and reaction to threats to data. Moreover, we already consider the protection of personal data in the development and selection of hardware, software and processes in accordance with the data protection principle by design and by default (Art. 25 GDPR).
12.2. In particular, the security measures included the encrypted transmission of data between your browser and our server.
13. Your Rights
13.1. You have the following rights vis-à-vis us with respect to the personal data concerning you:
On grounds relating to your particular situation, you have the right to object to the processing of personal data concerning you on the basis of point (f) of Art. 6 (1) GDPR (data processing due to a legitimate interest). If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Moreover, you have the right to object at any time to the processing of data concerning you for direct advertising purposes (Art. 21 (2) GDPR). If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes.
13.2. To exercise your rights specified in section 12.1., please send an e-mail to email@example.com or contact the address specified in section 1.2.
13.3. You also have the right to lodge a complaint with the responsible data protection supervisory authority about the processing of your personal data by us.