1. Responsibility for the Processing of Your Personal Data (Controller)
Foundation myclimate – The Climate Protection Partnership
are the “controller” who is responsible for processing your personal data in the meaning of Art. 4 no. 7 GDPR. You can contact our data protection officer at firstname.lastname@example.org or via our mail address, attention of “data protection officer”.
2. Personal Data
The term “personal data” includes your personal details (such as your name, date of birth, address, citizenship), your identification data (e.g. your passport details), your order data including your e-mail address, your technical connection data (e.g. your IP address), your account and payment data (depending on the payment type), advertising and sales data and other comparable data.
3. Collection of Your Personal Data
In connection with the processing of your personal data, we make a distinction between data we collect directly from you and data that we receive from other sources.
3.1. Personal data that we collect from you:
3.1.1. If you are our customer, we will process the personal data you share with us when you contact us (e.g. via contact form, by e-mail or via your customer account). For example, this includes your name and e-mail address. This is done for the performance of the contract concluded with you pursuant to point (b) of Art. 6 (1) GDPR.
We use the services of Typeform (TYPEFORM S.L., Carrer de Bac de Roda, 163, 08018 Barcelona, Spain) to process enquiries sent through the contact form. TYPEFORM’s privacy policies are available here: https://admin.typeform.com/to/dwk6gt.
We also use Microsoft Forms, part of the Office 365 Family. MS Form is GDPR-compliant and the data for European-based tenants is stored on servers in Europe. Microsoft Data privacy is available here: https://privacy.microsoft.com/en-gb/privacy
3.1.2. When using our online zone via your customer account by means of a compensation or donation for a climate protection project and the associated contract conclusion, we process the personal data you share with us, which are required for the initiation of this contract via our online zone, for its performance and, if applicable, for the provision of a warranty or for the unwinding of the contract (point (b) of Art. 6 (1) GDPR). Among other things, the processed data include your address, your date of birth and your account/payment data. During the electronic order process, your technical connection data are collected as well. Erasure of your customer account is possible whenever you wish. This can be done by means of a message to email@example.com or using a function for this purpose in the customer account.
We may also process the data you specify for the purpose of informing you by mail about other interesting products from our portfolio. The legal basis for this is point (f) of Art. 6 (1) GDPR.
3.1.3. When you use our online area via your customer account in the process of financing climate protection projects or making a donation and in the course of the associated contract conclusion, we process your personal data, which are required for the initiation and execution of this contract and, if applicable, for the provision of a warranty or for the unwinding of the contract (pursuant to point (b) of Art. 6 (1) GDPR).
3.1.4 In order to provide you with a self-service information channel, also independently of our business hours, there is a chatbot ("digital assistant") on the website. During the automated chat, various information is transferred to the dialog platform (Art. 6 para. 1 a DSGVO). This includes, for example, the questions and answers entered by you (chat history).
To optimize the artificial intelligence of the chat bot, log files and chat histories are stored. The retention period is the period during which the collected data is stored for processing. The data will be deleted as soon as it is no longer needed for the specified processing purposes. Please note that some chat histories require us to request certain personal data in order to process your request, such as your name, email address or phone number. There is the possibility that the chatbot, if necessary and after your explicit consent, transfers your questions to our myclimate team for further consultation. In doing so, the chat history and existing customer data are transferred to the myclimate specialist.
We process the collected data in the cloud-based dialog system of the order processor knowhere (knowhere GmbH, Steinhöft 9, 20459 Hamburg, Germany). Thereby, the data hosting takes place in their company-owned data center in Hamburg, Germany.
3.1.5 Shape Your Trip - Teacher Registration: On the website https://module.shapeyourtrip.myclimate.org/ you have the possibility to register as a teacher. Within the framework of user registration using the SSO application "Keycloak", personal data is processed: Username, password, email address, first name, last name. We need this data to provide the service. For the website https://module.shapeyourtrip.myclimate.org/ we work together with the agency Lernetz AG, Pfingstweidstrasse 10, 8005 Zurich, to whom we transmit personal data. This personal data is stored on the server of the computer centre Begasoft, Bern in Switzerland (https://www.begasoft.ch/unternehmen/infrastruktur).
3.1.6. If you are a legal representative or employee of one of our customers, your personal data may be collected if you act on behalf or by order of our customer in the business relationship with us. This is done for the purpose of initiating or performing the contract concluded with you pursuant to point (b) of Art. 6 (1) GDPR
3.1.7. We also collect and process personal data for the purpose of processing applications (legal basis: point (b) of Art. 6 (1) GDPR). The processing may also take place electronically if you as the applicant send us application documents by e-mail. In the event we conclude an employment contract with you upon completion of the application procedure, we will store the transmitted data for the purpose of handling the employment relationship under consideration of the statutory regulations. If no employment contract is concluded, the electronically submitted application documents will be deleted, unless the deletion would conflict with other legitimate interests. Moreover, we may retain them if the applicant agrees to the continued retention for possible later consideration.
3.2. Personal Data We Receive from External Sources
We may also use personal data lawfully collected by another controller and that are lawfully transmitted to us, e.g. publicly accessible information. This includes lists of debtors, public registers such as insolvency announcements or information from the commercial register as well as from the media and Internet.
4. SSL encryption
We use SSL encryption to ensure the best possible protection of your transferred data. Connections which are encrypted in this way display the prefix "https://" in your browser’s address bar. Unencrypted websites display "http://". Thanks to SSL encryption, the data you transmit to these websites, e.g. when sending enquiries or logging in, are protected against being viewed or accessed by third parties.
5. Transmission of Your Personal Information to Third Parties
We will transmit your personal data to commissioned service providers in Germany and abroad insofar as this is necessary for economic or technical reasons. We will carefully select the respective service provider to this end, conclude a processing contract pursuant to Art. 28 GDPR and check him carefully. For the purpose of outsourcing certain business process, we have a legitimate interest in concluding processing contracts with the respective service provider pursuant to point (f) of Art. 6 (1) GDPR.
5.3. We may also transfer your personal data to affiliated companies, i.e. group companies. For the purpose of internal administration, we have a legitimate interest in the transfer of the data to our group companies in accordance with Art. 6 (1) (f) GDPR.
5.4. Your personal data collected via the customer database will be stored on the server of Nine Internet Solutions AG, Albisriederstrasse 243a, 8047 Zurich, Switzerland and/or Swisscom (Schweiz) AG, Enterprise Customer, Müllerstrasse 16, 8005 Zurich, Switzerland and will be forwarded to them for this purpose. This is done on the basis of a contract for order processing concluded with Nine Internet Solutions AG and/or Swisscom (Schweiz) AG in accordance with Art. 28 GDPR, in which we have a legitimate interest within the meaning of Art. 6 (1) (f) DSGVO.
5.5. Your data, which are generated directly via our website, are sent to one of our hosting providers; b.net GmbH Dresden, Wiener Straße 146, D-01210 Dresden, Germany, and/or AgenturWebfox GmbH, Einsteinufer 63, Einstein-Höfe, Court 1, Second Floor, 10587 Berlin, Germany, which will store it on the servers of Hetzner Online GmbH in a data centre in Falkenstein. We have concluded a third-party data processing agreement in accordance with Art. 28 GDPR with b.net GmbH. We use the hosting services of a third-party provider on the basis of our legitimate interest in the correct display of our website contents and services, Art. 6 (1) (f) GDPR.
5.6. We also work with the content management service provider Agentur Webfox, Einsteinufer 63, 10587 Berlin, Germany, to whom we transmit personal data via our website. We have concluded a third-party data processing agreement in accordance with Art. 28 GDPR with Webfox.
5.8. For the purpose of performing the contract pursuant to point (b) of Art. 6 (1) GDPR, we may also transmit your personal data to any party to which we assign rights resulting from the contractual relationship with you.
5.10 By using our online area at helvetia.myclimate.org in the course of financing climate protection or a donation made by you and the associated conclusion of a contract as well as your explicit consent during the purchase process, you agree to us making the data arising in connection with the conclusion of a contract available to Helvetia Schweizerische Versicherungsgesellschaft Ltd., Dufourstrasse 40, CH-9001 St.Gallen. The data transmitted includes your personal data, your address data, your number plate, the amount of the climate protection contribution, the project or portfolio for which your contribution is used, your method of payment and the date on which the contract was concluded. If you also decide during the purchase process to subscribe to the Helvetia Newsletter or to register for an annual reminder to make a climate protection contribution, we will inform Helvetia of this.
6. Forwarding of Your Personal Data to Third Countries
Where your data are transmitted to a third country, we make sure that the data are only transmitted to countries with an adequate level of protection in the meaning of Art. 45 (1) GDPR or that the controller domiciled in the respective third country has established suitable data protection safeguards. For example, these safeguards could be
6.1. binding corporate data protection rules pursuant to Art. 47 GDPR; or
6.2. standard contractual clauses issued by the European Commission in accordance with the examination procedure referred to in Art. 93 (2) GDPR.
7.1. With your consent, you can subscribe to our newsletter, in which we inform you about our current offers, climate protection and education projects, our partners and our company. The legal basis for this is point (a) of Art. 6 (1) sentence 1 GDPR.
7.2. For the subscription to our newsletter, we use the so-called double opt-in procedure. This means that following your subscription, we send an e-mail to the specified e-mail address, asking you for confirmation that you wish to receive the newsletter. If you do not confirm your subscription within 24 hours, your information will be blocked and automatically erased after one month. Apart from this, we store your respective IP addresses as well as the times of subscription and confirmation. The purpose of this procedure is to be able to furnish evidence of your subscription and, if necessary, to clarify any abuse of your personal data.
7.3. For the delivery of the newsletter, the specification of your e-mail address, country and language is mandatory. The specification of further, separately marked data is voluntary; these data are used to address you personally. Following your confirmation, we will store your e-mail address for the purpose of sending you the newsletter.
7.4. You can withdraw your consent to the delivery of the newsletter and unsubscribe from the newsletter whenever you wish. You can do this by sending a message to firstname.lastname@example.org or by using the link provided for this purpose in the newsletter.
7.5. Please note that when delivering the newsletter, we analyse your user behaviour. For this analysis, the transmitted e-mails contain so-called web beacons or tracking pixels, i.e. one-pixel image files that are stored on our website. For the analysis, we map the data specified in section 3.1.3. (data when using the website for information) and the web beacons to your e-mail address and an individual ID. The links transmitted in the newsletter also contain this ID. Based on these data, we create a user profile in order to custom-tailor the newsletter to your individual interests. In this context, we ascertain when you read our newsletters and which links you click in it; on this basis, we derive conclusions regarding your personal interests. We combine these data with the actions you perform on our website.
7.6. You can object to this tracking at any time by clicking the separate link that is provided in every e-mail or by informing us via another contact method. The information will be stored for as long as your newsletter subscription continues. If you unsubscribe, we will only store the data statistically and anonymously.
8.1. Additionally, cookies will be stored on your computer when you use our website. Cookies are little text files that are associated with the browser you use and stored on your hard disk, through which the party that sets the cookie (i.e. we) receives certain information. Cookies cannot run any programs or transfer viruses to your computer. They merely serve the purpose of making the website as a whole more user-friendly and effective.
8.2. This website uses transient and persistent cookies, whose scope and functionality are explained below:
8.2.1. Transient cookies are deleted automatically when you close the browser. This especially includes session cookies. These cookies store a so-called session ID with which various requests of your browsers can be allocated to the joint session. In this way, your computer can be recognised when you return to our website. Session cookies are deleted upon logout or when you close the browser.
8.2.2. Persistent cookies are deleted automatically after a predefined period that may vary depending on the cookie. You can delete the cookies in your browser’s security settings whenever you wish.
8.3. You can configure your browser settings according to your preferences and e.g. refuse to accept third-party cookies or all cookies. Please note that if you do so, you might not be able to use all functions of this website.
9. Use of Web Analysis Tools
9.1. Google Analytics
9.1.2. The IP addresses sent by your browser within the scope of Google Analytics will not be consolidated with other data of Google.
9.1.3. You can prevent the storage of cookies by configuring your browser software accordingly; in this case, however, you might not be able to use all functions of this website. Moreover, you can prevent the collection of data concerning your use of the website (including your IP address), which are generated by the cookie, and the processing of these data by Google by downloading and installing the browser plug-in that is available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de
9.1.4. This website uses Google Analytics with the “_anonymizeIp()” extension. In this way, IP addresses are further processed in truncated form, making it impossible to allocate them to specific persons. Where the data collected about you could be allocated to you, this is made impossible immediately, and the personal data are thus erased immediately.
9.1.5. We use Google Analytics in order to analyse the use of our website and continually improve it. The statistics we gain enable us to improve our offer and make it more interesting for you as a user. We use Google Analytics on the basis of your consent granted via the cookie banner on our website, in accordance with Art. 6 (1) (a) GDPR.
9.1.6. For the exceptional cases in which personal data are transmitted to the USA, Google participates in the EU-US Privacy Shield. For information, see https://www.privacyshield.gov/EU-US-Framework
Plausible is used to collect anonymous information about the use of this website. No personal information is stored and no tracking cookie is used. It is not possible to draw conclusions about individuals. The following data is collected:
- Device type
- Country (IP address is not stored)
- Url of the page
- HTTP referer
- Operating system
10. Internet Advertising
10.1. Google AdWords
10.1.2. These advertisements are delivered by Google via ad servers. For this, we use ad server cookies, which can measure certain success measurement parameters such as the display of ads or user clicks. If you reach our website via a Google ad, Google AdWords will store a cookie on your PC. These cookies usually expire after 30 days and are not used to identify you personally. For this cookie, the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) as well as opt-out information (indication that the user no longer wants to be addressed) are stored as analysis values.
10.1.3. These cookies enable Google to recognise your Internet browser. If a user visits certain pages of the website of an AdWords customer and the cookie stored on his computer has not yet expired, Google and the customer can see that the user has clicked the ad and has been redirected to the respective page. A different cookie is assigned to every AdWords customer. Thus, cookies cannot be tracked via the websites of AdWords customers. In the context of the said advertising measures, we do not collect and process any personal data. Google merely provides us with statistical analyses. Based on these analyses, we learn which of the advertising measures used are especially effective. We do not receive any further data from the use of the ads; in particular, we cannot identify users on the basis of this information.
10.1.4. Due to the marketing tools used, your browser will automatically establish a direct connection to the Google server. The scope and further use of the data collected by Google due to this tool is beyond our control and we are thus informing you about what we do know: Through the embedding of AdWords Conversion, Google is informed that you have accessed the respective part of our website or clicked one of our ads. If you are registered with a Google service, Google can map the visit to your account. Even if you are not registered with Google or not logged in, the provider may learn and store your IP address.
10.1.5. You can prevent the participation in this tracking procedure in various ways:
10.1.6. The legal basis for the processing of your data is point (f) of Art. 6 (1) sentence 1 GDPR. Further information on the data protection at Google is available here: https://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the website of Network Advertising Initiative (NAI) at https://www.networkadvertising.org. Google participates in the EU-US Privacy Shield; https://www.privacyshield.gov/EU-US-Framework.
10.1.7. In connection with our use of the Google AdWords offer, the Google Grants program is also used. Google Grants provides free advertising to eligible non-profit organisations worldwide. Google Grants thus helps non-profit organisations like us to use AdWords in order to reach persons who use the Google search engine to find information that is relevant to such organisations.
10.2. Google Remarketing
10.2.1. We use Google Remarketing. This is a procedure for addressing you anew. This application enables the display of our ads as you continue using the Internet after visiting our website. This is done with the help of cookies stored in your browser, by means of which Google collects and analyses your user behaviour when visiting various websites. In this way, Google can identify your previous visit to our website. According to Google, the data collected in the context of remarketing is not associated with your personal data that may be stored by Google. In particular, Google points out that pseudonymisation is used for remarketing. The legal basis for this is Article 6 (1) (a) GDPR.
10.2.2. For the exceptional cases in which personal data are transmitted to the USA, Google participates in the EU-US Privacy Shield. For information, see https://www.privacyshield.gov/EU-US-Framework.
10.3. Microsoft Bing Ads
10.3.1 We use the conversion tracking function of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, on our website. This entails Microsoft Bing Ads storing a cookie on your computer, provided you have reached our website via a Microsoft Bing ad. This enables Microsoft Bing and us to see that someone clicked on an ad, was forwarded to our website, and reached a pre-set target (conversion) site. We only find out about the total number of users who have clicked on a Bing ad and were forwarded to the conversion site. No personal information regarding the identity of the user is disclosed.
10.3.2 If you do not wish information regarding your user behaviour to be used as explained above, you may reject the setting of the cookie required for the process – for example, by deactivating the automatic setting of cookies in your browser settings. In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website and processing of these data by Microsoft by objecting via the following link: https://account.microsoft.com/privacy/ad-settings/signedout?lang=en-EN. Further information about data protection and the cookies used by Microsoft and Bing Ads is available at the Microsoft website at https://privacy.microsoft.com/en-gb/privacystatement
11. Google Maps
11.1. We use the services of Google Maps on this website. This allows us to show you interactive maps directly on the website and enables you to use the maps function conveniently.
11.2. When you visit the website, Google receives the information that you have accessed the respective subpage of our website. Moreover, the data specified in section 3.1.3 are transmitted. This happens regardless of whether Google provides you with a user account into which you are logged in, or you have no user account. If you are logged in to Google, your data will be allocated directly to your account. If you do not wish this information to be allocated to your Google profile you must log out prior to activating the button. Google stores your data in the form of user profiles and uses them for the purpose of advertising, market research and/or needs-oriented design of its website. This analysis is performed (even for users who are not logged in) especially in order to deliver needs-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles; to exercise this right you will have to contact Google.
11.3. We use Google Maps to pursue our interest in an appropriate display of our online services and contents and to facilitate finding the locations specified on our website. This is a legitimate interest in terms of Art. 6 (1) (f) GDPR.
11.4. Further information on the purpose and scope of the collection of data and their processing by the plugin provider is available in the privacy policies of the provider. There, you can also see further information on your rights in this regard and on the configuration options to protect your privacy: http://www.google.com/intl/gb/policies/privacy. Google also processes your personal data in the USA and participates in the EU-US Privacy Shield; https://www.privacyshield.gov/EU-US Framework.
12. Connection to Social Media
12.1. Use of Social Media Plugins
12.1.1. We currently use the following social media plugins: Facebook, Google+, Twitter, Instagram, LinkedIn. To increase the protection of your data when visiting our website, the plugins are not fully embedded on the page, but merely using an HTML link (so-called “Shariff” solution of c’t). This makes sure that when a page of our website that contains such plugins is accessed, no connection is immediately established to the servers of the respective social network provider. If you click one of the buttons, a new browser window will open up with the page of the respective service provider, on which you can click the “Like” or “Share” button (possibly after entering your login details).
12.1.2. By way of the plugins, we enable you to interact with the social networks and other users. This helps us to improve our offering and make it more interesting for you as the user. The legal basis for the use of plugins is point (f) of Art. 6 (1) sentence 1 GDPR.
12.1.3. If you do not want the respective social networks to generate data about you via our website, you can take the following measure: Simply log out from the social networks before visiting our website or other websites.
12.1.4. Further information on the purpose and scope of the collection of data and their processing by the plugin providers is available in the privacy policies of these providers as shown below. There, you can also see further information on your rights in this regard and on the configuration options to protect your privacy.
12.1.5. Addresses of the plugin providers and URL of their privacy policies:
12.2.1. We have embedded YouTube videos on our website, which are stored at https://www.YouTube.com and can be played directly from our website. All these videos are embedded in the “privacy-enhanced mode”, i.e. no data about you as a user will be transmitted to YouTube as long as you do not play the videos. The data specified in section 12.2.2. will only be transmitted if you play the videos. This data transmission is beyond our control.
12.3.1. Plug-ins of the social network SoundCloud (SoundCloud Limited, Berners House, 47-48 Berners Street, London W1T 3NF, United Kingdom) are integrated on our websites. You can recognise the SoundCloud plug-ins by the SoundCloud logo on the affected sites.
12.3.2. When you visit our websites and after the plug-in is activated a direct connection will be established between your browser and the SoundCloud server. This will provide SoundCloud with information to the effect that you, with your IP address, have visited our site. If you click the “like” or the “share” button while you are logged in to your SoundCloud user account you may link and/or share the contents of our websites with your SoundCloud profile. By doing this SoundCloud will be able to attribute the visit to our websites to your user account. Please note that as the website provider we are not given any information on the contents of the transmitted data nor their use by SoundCloud. More information can be found in the privacy statement of SoundCloud: https://soundcloud.com/pages/privacy.
12.3.3. If you do not wish Soundcloud to attribute the visit to our websites to your SoundCloud user account, please log out of your SoundCloud user account before you activate the contents of the SoundCloud plug-in.
13. Retention Periods and Criteria for the Retention of Your Personal Data
All processed personal data will only be stored for as long as and to the extent necessary for the performance of our contractual and statutory obligations. For accounting reasons and due to statutory retention obligations, we usually retain collected personal data for 10 years. Longer statutory retention obligations or reasons may apply. For the delivery of our newsletter, we will store your e-mail address until you unsubscribe from the newsletter. All technical access data collected when visiting our website for information only are erased no later than seven days after the end of your visit to our site.
14. Security Measures
14.1. Pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia appropriate measures to ensure the confidentiality, integrity and availability of data by controlling the physical and system access to the data as well as the input, forwarding, protection of the availability and separation of the data. Furthermore, we have established processes to ensure the exercise of the rights of the data subjects, erasure of data and reaction to threats to data. Moreover, we already consider the protection of personal data in the development and selection of hardware, software and processes in accordance with the data protection principle by design and by default (Art. 25 GDPR).
14.2. In particular, the security measures included the encrypted transmission of data between your browser and our server.
15. Your Rights
15.1. You have the following rights vis-à-vis us with respect to the personal data concerning you:
On grounds relating to your particular situation, you have the right to object to the processing of personal data concerning you on the basis of point (f) of Art. 6 (1) GDPR (data processing due to a legitimate interest). If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Moreover, you have the right to object at any time to the processing of data concerning you for direct advertising purposes (Art. 21 (2) GDPR). If you object to the processing for direct marketing purposes, we will no longer process your personal data for such purposes.
15.2. To exercise your rights specified in section 12.1., please send an e-mail to email@example.com or contact the address specified in section 1.2.
15.3. You also have the right to lodge a complaint with the responsible data protection supervisory authority about the processing of your personal data by us.
16. Customize privacy settings
Here you can customize privacy settings.