Charge4Europe

Table of Contents

 

I. Preamble

II. Data controller / data protection officer / supervisory authority

III. Definitions

IV. General principles / information

V. Data categories

VI. Data processing for the provision of the website / the operation of a charging network

VII. Data processing relating to suppliers / service partners / service providers

VIII. Data processing for the purpose of the newsletter / advertising / marketing / public relations

IX. Rights of the data Subject

X. Amendments of the Privacy Statement

I. Preamble

Below, we, Charge4Europe GmbH, C4E for short, would like to inform you comprehensively and in detail about how we shall protect your privacy, and how personal data is processed within the framework of our contractual relationships. Personal data will be erased as soon as possible and will never be used for advertising purposes, or be passed on, without the appropriate consent. If you do not understand the information provided below or if it is insufficient, please do not hesitate to contact us using the contact details given in Section II.

Please note that for the online environment (homepages and/or internet), an additional privacy statement applies for websites. You can view this under the “Privacy” link on our websites.

II. Data controller / supervisory authority

Data controller

Charge4Europe GmbH (C4E)

Lindenallee 6

45127 Essen

E-Mail: info@charge4europe.com

Telephone: +492011248890

Website: www.charge4europe.com

 

C4E is a joint venture between DKV EURO SERVICE GmbH + Co. KG (DKV) and innogy eMobility Solutions GmbH (eMS). The purpose of C4E is to integrate third-party providers of charging stations and charging points, so-called Charge Point Operators (CPO), into a common charging network through which DKV and eMS can provide or sell charge current and other electromobility goods and services to customers.

Relevant supervisory authority

The State Data Protection and Freedom of Information Officer for North-Rhine Westphalia

Postfach 20 04 44

40102 Düsseldorf

Tel.: +49 211 38424-0

Fax: +49211 38424-10

E-Mail: poststelle@ldi.nrw.de

Website: www.ldi.nrw.de

III. Definitions

The definitions are governed by the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter "General Data Protection Regulation" or "GDPR") and the German Data Protection Act (Bundesdatenschutzgesetz, BDSG), in the versions applicable since 25.05.2018. In particular, the definitions under Articles 4 and 9 GDPR apply. Please note that the GDPR and the BDSG only apply if the personal data of natural persons is processed. For the data of legal entities (e.g. a GmbH, AG or Genossenschaft/ cooperative etc.), data protection law does not apply, unless a tradesperson is the data subject as a natural person, a GmbH is a one-man company, or the personal data of employees of legal entities is processed.

IV. General Principles / Information

1. Scope of the processing of personal data

We collect and use personal data of our customers and users only insofar as this is necessary for providing our goods and services and for providing our web and online platforms (including mobile apps), or a legal basis allows the collection and/or use of personal data for other purposes.

 

2. Legal basis

If personal data is processed on the basis of the data subject's consent, Article 6 (1), letter a GDPR forms the legal basis for the processing.

In cases where personal data is processed for the performance of a contract to which the data subject is a party, Article 6 (1), letter b GDPR forms the legal basis; this also applies to processing necessary for the implementation of precontractual measures.

If personal data is processed in order to comply with a legal obligation to which we are subject, Article 6 (1), letter c GDPR forms the legal basis. If processing of personal data is necessary in order to protect vital interests of the data subject or any other natural person, Article 6 (1), letter d GDPR forms the legal basis.

If processing takes place in order to protect a legitimate interest of our company or a third party, and this interest is outweighed by the data subject's interests or basic rights or basic freedoms, Article 6 (1), letter f GDPR forms the legal basis of the processing.

If processing of personal data takes place after a change in the purpose, i.e. the data is to be used for a purpose other than that for which it was originally collected, Article 6 (4) GDPR forms the legal basis.

If any processing of special categories of personal data within the meaning of Article 9 GDPR takes place, the explicit consent of the data subject pursuant to Article 9 (2) letter a in conjunction with Article 6 (1) letter a GDPR and/or a statutory authorisation pursuant to Article 9 (2) letters b-j GDPR forms the legal basis for the processing.

 

3. Enforcement of claims / fulfilment of statutory obligations

We reserve the right to process personal data for the purpose of enforcing claims in pursuing legitimate interests pursuant to Article 6 (1) letter f GDPR; this also includes any transfer of data to Schufa (see subsection VI0), authorities and/or courts. Data can also be processed and/or transferred for the purpose of fulfilling statutory or legal obligations (e.g. information to authorities etc.); Article 6 (1) letter c GDPR forms the legal basis for this.

 

4. Obtaining consent / right to withdraw

Generally, consent is obtained electronically pursuant to Article 6 (1) letter a GDPR. Consent is given by ticking a box in the corresponding field for the purpose of documenting that the consent has been given. If consent is given electronically, the so-called double-opt-in procedure (https://www.onlinemarketing-praxis.de/glossar/double-opt-in) is used for the purpose of identifying the user, where this is required by law. The content of the declaration of consent is recorded electronically.

Right to withdraw: Please note that consent once given may be withdrawn in whole or in part at any time with effect for the future. The lawfulness of the processing that has taken place on the basis of the consent given until such withdrawal will remain unaffected by this. If you wish to withdraw your consent, please use the contact details given in Section II (data controller or Data Protection Officer).

 

5. Possible recipients of personal data

In order to provide our goods and services (including web and/or online offerings), we sometimes use third-party service providers who act on our behalf and in accordance with our instructions in the provision of the services (commissioned processors). These service providers may receive personal data or come into contact with personal data in the provision of the services and are third parties or recipients within the meaning of the GDPR.

In such cases, we ensure that our service providers offer sufficient guarantees that suitable technical and organisational measures exist and that processing is carried out so that it is in accordance with the requirements of this regulation and ensures that the rights of the data subject are protected (cf. Article 28 GDPR).

Insofar as personal data is transmitted to third parties and/or recipients outside of commissioned processing, we shall ensure that this occurs only in compliance with the requirements of the GDPR (e.g. Article 6 (4) GDPR) and only if a corresponding legal basis exists (e.g. Article 6 (4) GDPR; see also subsection IV.2).

 

6. Processing of data in so-called third countries

The processing of your personal data will generally take place in the EU or the European Economic Area ("EEA").

Only in exceptional cases (e.g. in connection with the use of service providers for the performance of web analysis services) may information be transmitted to so-called "third countries". "Third countries" are countries that are outside of the European Union and the Agreement on the European Economic Area. Therefore, it cannot be automatically assumed that the level of data protection in those countries is adequate and corresponds to the standards in the EU.

Prior to transmitting any information that also includes personal data, we ensure that an adequate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country. This may be ascertained by a so-called "adequacy decision" of the European Commission or ensured by using the so-called “EU standard contractual clauses". In the case of recipients in the USA, compliance with the principles of the so-called "EU-US Privacy Shield" may also ensure an adequate level of data protection. We would be happy to provide you with further information on suitable and adequate safeguards for adherence to an adequate level of data protection upon request; the contact details can be found at the beginning of this Data Privacy Statement. Additionally, information on the participants in the EU-US Privacy Shield can be found here www.privacyshield.gov/list.

 

7. Data erasure and storage period

The data subject's personal data will be erased or blocked if the data is no longer needed for the purpose for which it was processed. Instead of being erased, the data may continue to be stored with the processing of this data restricted, if this is provided for by the European or national legislators in ordinances, laws or other provisions under European Union law to which our company is subject, e.g.

• for compliance with statutory retention requirements (e.g. the German Fiscal Code (Abgabenordnung, AO) or the German Commercial Code (Handelsgesetzbuch, HGB), currently between 6 and 10 years), and/or

• if there are legitimate interests in such storage (e.g. in the course of limitation periods for the purpose of a legal defence against any claims (Sections 195 ff of the German Civil Code (BGB)), currently between 3 and 30 years).

The legal basis for this is provided by Art. 6 (1) letter c and letter f GDPR. The data will also be blocked or erased when a storage period prescribed by the aforementioned standards expires, unless further storage of the data is necessary for the conclusion of a contract or for other purposes (e.g. legitimate interests pursuant to Article 6 (1) letter f GDPR).

V. Data Categories

With regard to the types of personal data, we distinguish between (i) master data, (ii) contract performance data, (iii) third-party data and – where relevant – (iv) special categories of personal data within the meaning of Article 9 GDPR.

 

1. Master data

Master data is data about your company and/or your person which you provide in the contract initiation process, contract conclusion process and the subsequent contract performance. This data is provided in the contract forms used by us and includes in particular information such as the company name, surname, first name, address, date of birth, e-mail address, telephone number, fax and bank and account details for billing purposes. You can also provide us with further data in your application on a voluntary basis, e.g. a mobile phone number, your preferred language for correspondence or other interests and preferences. We refer to this data provided by you collectively as “master data”.

 

2. Contract performance data

Contract performance data is data which is collected in the contract performance or contract fulfilment and processed by us for contract performance, billing, administration, further development or marketing of our offers, goods and services. In some cases this data does not directly relate to a natural person, but generally such a relationship to a person can be established. Contract performance data may include, depending on the goods and services provided, e.g. the following data: (i) data necessary for the preparation of offers (including finance), (ii) data necessary for the ordering / use of goods and services (e.g. charging data, names of employees), (iii) payment and billing data, or (iv) data / information for the handling of enquiries or complaints.

 

3. Third-party data

Personal data is generally collected from you directly. However, it can occur that we do not collect personal data from you directly, but that we obtain this from third-party companies and/or contract partners, e.g. within the scope of separate contractual relationships (so-called third-party data). Such data about your company / your person may include e.g. address data, billing data from third parties (e.g. from our service partners), credit rating information or the like.

VI. Data processing for the provision / operation of a charging network

C4E is responsible for concluding appropriate contractual relationships with the CPOs and ensures in these contracts that DKV and eMS can provide electromobility goods and services to customers through the integrated charging stations of the CPOs. Insofar as data protection regulations are relevant in the contractual relationship, we, C4E, process the personal data of the CPOs on the basis of the relevant data protection regulations, in particular the GDPR and German Data Protection Regulation (BDSG) as follows:

 

1. Purposes and legal basis of the processing:

We collect and process personal data for the following purposes and on the following legal basis:

 

1.1. Integration of charging stations into a common charging network.

Master data, contract performance data and third-party data – which may include personal data of the CPOs including data of their employees and/or workers – is used by us for the purpose of contract initiation, contract conclusion and the subsequent contract performance in connection with the contractually-agreed integration of charging stations into a common charging network, insofar as the processing is necessary for this purpose. This may include in particular data processing for the purpose of the provision / delivery including the billing of charge current and other goods and services which are provided to customers of DKV and/or eMS through the charging stations of the CPOs. Article 6 (1) letter b GDPR and Article 6 (1) letter f GDPR (legitimate interests) form the basis for the aforementioned data processing; legitimate interests lie here in the provision of electromobility goods and services to customers of DKV and/or eMS in a service chain.

 

1.2. Credit check / credit agencies / credit rating

We reserve the right to obtain and process information from credit rating service providers on the basis of the personal data collected in the within the scope of the contractual relationship. We also reserve the right to process data at credit agencies and credit rating service providers to establish credit and default risks – in particular in the cases stated in Section 31 (2) BDSG – in pursuing legitimate interests of our company and third parties; this is possible for example when a payment is not made despite being due. Such data queries and transfers are only made on the basis of Article 6 (1) letter f GDPR insofar as this is necessary to protect our legitimate interests or the legitimate interests of third parties of guarding against bad debt, unless this interest is outweighed by the data subject's interests or basic rights and freedoms. We point out that credit agencies and credit rating service providers also process and use the data obtained for the purpose of profiling (scoring), in order to provide their contract partners in the European Economic Area and in Switzerland and where applicable other third countries (provided that an adequacy decision has been made by the European Commission for this country) with information about among other things the assessment of the creditworthiness of natural persons. For this data processing, the respective credit agencies and credit rating service providers are the data controllers within the meaning of the GDPR; if you have any questions concerning the data processing by these credit rating service providers, you have to contact them direct. We would be happy to provide you with the respective contact details upon request. On the basis of the data provided by the credit rating service providers and the payment behaviour of the CPOs, C4E also reserves the right to carry out its own credit rating (scoring). This takes place in an automated process taking into account the data protection requirements of Article 22 GDPR and Section 31 BDSG; the credit rating is carried out by an external service provider, Prof. Schumann AG, which is employed by C4E as a commissioned processor pursuant to Article 28 GDPR; address data is not processed in the credit rating. Article 6 (1) letter f. in conjunction with Article 22 (2) letter a. GDPR forms the legal basis for C4E carrying out its own credit rating.

 

1.3. Billing of goods and services

For the purpose of the billing of goods and services, insofar as necessary in C4E’s relationship with CPOs, we use the master data provided by the CPOs, the contract performance data necessary for billing (e.g. equipment purchased, services used etc.) and on a case-by-case basis third-party data (e.g. when customers purchase equipment via third-party service partners of C4E , or if we acquire receivables from third parties for the purpose of (uniform) billing). Article 6 (1) letter b GDPR (contract fulfilment/implementation of precontractual measures) and Article 6 (1) letter f. GDPR (legitimate interests) forms the legal basis for such processing.

 

1.4. Enforcement of claims / fulfilment of statutory obligations

We reserve the right to use personal data for the enforcement of claims in and out of court. Article 6 (1) letter b GDPR (contract fulfilment/implementation of precontractual measures) or Article 6 (1) letter f. GDPR (legitimate interests) forms the legal basis for such processing of data. Data can also be processed and/or transferred for the purpose of fulfilling statutory or legal obligations (e.g. transfer of information to authorities etc.); Article 6 (1) letter c GDPR forms the legal basis for this.

 

2. Electronic customer accounts for customers / CPOs

We offer our customers the opportunity to open an electronic user account for the future use of certain services. When they register and open the user account, the following personal data (“mandatory data”) is collected and stored by us:

• user name

• password

• the user’s business email address

• first name, surname, title

• company (insofar as relevant)

• address, state, federal state and town of the company At the time of registration (i) the user’s IP address and (ii) the date and time of registration are also stored. Data can also be provided on a voluntary basis. This data may include e.g. telephone number, fax number, mobile number or disclosures about the company such as number of employees, industry and fleet size. Mandatory data needed for the purpose of registration is marked as a mandatory field with an asterisk in the input screen. The registration can only take place if the mandatory fields have been filled in completely and truthfully. The registration process will only be completed when you confirm the link sent in an e-mail by us after the mandatory fields have been filled in. This information can be used on an anonymous basis among other things for the purpose of improving our service.

 

2.1. Purpose and legal basis

Registration of the user takes place for the purpose of access restriction and/or access control for specific content and services which we make available exclusively to users in our websites and/or online offerings. Such a registration can also take place for the purpose of making specific content and services available for registered users for contract fulfilment and/or implementation of precontractual measures. Where the user has given consent, Article 6 (1) letter a GDPR forms the legal basis for the processing of the data for the purpose of registration. If the registration serves the fulfilment of a contract to which the user is a party, or the implementation of precontractual measures, Article 6 (1) letter b GDPR forms the legal basis for the processing. If the registration is for the purpose of access restriction and/or access control, the protection of legitimate interests forms the legal basis, Article 6 (1) letter f. GDPR; the legitimate interest lies in the restriction of access to protect the content and information developed by us.

 

2.2. Data erasure and storage period

If a registration takes place in connection with contract fulfilment or the implementation of precontractual measures (Article 6 (1) letter b GDPR), the registration data will be stored for the duration of the respective order or contractual relationship and erased or blocked after the end of the term of the respective contract or cancellation period taking into account subsection IV.7. If a registration takes place and is not in connection with contract fulfilment or the implementation of precontractual measures, the registration data will be erased taking into account subsection IV.7 as soon as a registration on our website is cancelled or amended, or is erased by the user.

 

2.3. Objection and deletion

As a user, you have at all times the opportunity to cancel or erase the registration. You can amend the stored data concerning you at any time. If the data is (still) needed for the fulfilment of a contract or the implementation of precontractual measures, an early erasure of the data is only possible if contractual or statutory obligations do not require otherwise.

 

3. Possible recipients of data / persons with authorisation to access data

In the performance of our services and the related processing of personal data, our employees have access to data for the fulfilment of the purposes stated in subsection VI on a “need-to-know” basis. This means that the group of persons with authorisation to access the data is restricted to those employees necessary for the fulfilment of the respective processing purpose. For the fulfilment of the purposes stated in subsection VI, data can also be transferred to and processed by (technical) services providers, subcontractors, vicarious agents and/or service partners who work for C4E in the fulfilment of the aforementioned purposes, in particular for the purpose of contract performance. Your personal data will also be used by other companies who work for C4E (“commissioned processors”) or in business partnerships with C4E. These include in particular DKV EURO SERVICE GmbH + Co. KG (DKV), innogy eMobility Solutions GmbH (eMS) and innogy SE; these act at the same time as (technical) service providers for us. Data may also be transferred for the purpose of payment transactions (e.g. to banks, payment service providers) and/or for the implementation of financing. Data can also be transferred to courts, lawyers, collection agencies and/or public bodies for the purpose of enforcing claims and/or fulfilment of statutory obligations (e.g. reporting obligations, fulfilment of obligations in the case of product warnings and the like), see also subsection IV.3. With regard to possible recipients of data and the general organisation of access authorisations to data in our company, we also refer to the comments in subsection IV.5.

 

4. Data processing outside of the EEA

Data processing outside of the European Union (EU) and/or the European Economic Area (EEA) can take place e.g. in the event of the integration of charging stations outside of the EEA or the acquisition of charging stations in Russia or Belarus. Such data processing outside of the EEA for the purpose of contract performance is allowed pursuant to Article 49 GDPR, in particular pursuant to (1) letter b and/or letter c GDPR. If Article 49 GDPR does not apply and C4E is responsible for the processing of data locally under data protection law, C4E will take the measures stated in subjection IV.6 to ensure an adequate level of data protection. We would be happy to provide you with further information on this upon request.

 

5. Data erasure, storage period, withdrawal and objection

If the processing of personal data takes place in connection with contract fulfilment or the implementation of precontractual measures (Article 6 (1) letter b GDPR), the data will be stored for the duration of the respective order or contractual relationship and erased or blocked when the respective contract or cancellation period comes to an end (taking into account the periods stated in subsection IV.7. We use your name and postal address to recapture customers after the end of the contractual relationship. A balancing of interests in our favour forms the legal basis for this. Our legitimate interest lies in trying to convince you to use our products and services once again in advertising for customer reacquisition purposes. In addition to sending you direct advertising during our business relationship with you, we also have an overriding interest to use your data for this advertising purpose after the contract has come to an end. You can object to this processing at any time. If you have given us your consent during the course of the contractual relationship to contact you by e-mail or telephone for advertising purposes, we will use your data to contact you with advertising messages for a period of no more than 24 months after you give this consent, regardless of the length of the contractual relationship. Your data will continue to be used beyond this period unless you object to the advertising messages.

 

6. Obligation to provide personal data (mandatory data)

Data which is needed for the initiation, conclusion or implementation of a business relationship, including the fulfilment of related contractual obligations, and/or which we are required by law to collect, is known as mandatory data. Mandatory data is marked with an asterisk in our forms. If you do not provide this data, we may not be able to perform or may only be able to perform to a limited extent a contract concerning the integration of charging stations in our charging network; we reserve the right to refuse to conclude a contract if you do not provide mandatory data.

 

7. Automated decision-making / profiling pursuant to Article 22 (1) and (4) GDPR

We do not use any fully-automated decision-making within the meaning of Article 22 GDPR for the establishment and implementation of the business relationship. If we use this process in individual cases in the future, you will be informed separately of this, if this is required by law. Profiling based on the data collected an processed by us does not take place for this purpose.

VII. Data processing relating to suppliers / service partners / service providers / statutory obligations

We process the personal data of suppliers and/or service providers (hereafter collectively referred to as “suppliers”) who are natural persons and whose services we enquire about and/or use on a contractual basis for the purpose of contract fulfilment or performance. This may concern master data, contract performance data and third-party data. Article 6 (1) letter b GDPR (contract fulfilment / implementation of precontractual measures) forms the legal basis for such data processing.

As a company we have various statutory obligations (e.g. tax laws, German Commercial Code) which require the processing of your data in order to comply with the law. We also reserve the right to process the personal data of our suppliers for the purpose of enforcing claims in pursuing legitimate interests pursuant to Article 6 (1) letter f GDPR. This also includes in particular the transfer of data to credit rating service providers (see subsection VI.1.2), authorities and/or courts. Data can also be processed and/or transferred for the purpose of fulfilling statutory or legal obligations (e.g. information to authorities etc.); Article 6 (1) letter c GDPR forms the legal basis for this.

We determine on a case-by-case basis and as necessary whether we are allowed to enter into a business relationship with you taking into account

• the EU Regulations No. 2580/2001 and No. 881/2002,

• the German Money Laundering Act (Geldwäschegesetz),

• the UK Bribery Act,

• the US sanctions lists (e.g. the Denied Persons List (DPL) of the US Bureau of Industry and Security (BIS), the Specially Designated Nationals and Blocked Persons List (SDN List) of the Office of Foreign Assets Control (OFAC) and the Entity List of the US Bureau of Industry and Security – Department of Commerce)

• the World Bank List of Ineligible Firms & Individuals

and conduct business partner checks in accordance with the aforementioned regulations and lists.

VIII. Data processing for purpose of the newsletter / advertising / marketing / public relations

Any use of personal data for the purpose of advertising and/or marketing purposes (e.g. newsletter), for the conducting of customer satisfaction surveys and for the purpose of press and public relations (hereafter collectively referred to as “marketing”) only takes place if you have given the appropriate consent or if there is some other legal basis which allows this without your consent.

Specifically:

 

1. Newsletter registration

If you would like to receive the newsletter offered by us, we need a valid e-mail address from you. In order to verify that you are the owner of the e-mail address provided or that the owner of the e-mail address agrees to receive the newsletter, we send an automated e-mail to the e-mail address provided after the first registration step (so-called double opt-in). We only add the e-mail address provided to our distribution list after the newsletter registration has been confirmed via a link in the confirmation e-mail. We do not collect any data in addition to the e-mail address and the data confirming the registration. Your data is processed exclusively for the purpose of sending the newsletter ordered by you. Article 6 (1) letter a GDPR and Section 7 of the German Unfair Competition Act (UWG) form the basis for this (see below). You can unsubscribe from the newsletter at any time; the comments on the right to withdraw consent under subsection IV.4 apply additionally.

 

2. Use of personal data for advertising and marketing messages / customer surveys

Any use of your personal data for the purpose of advertising and/or marketing messages and conducting customer satisfaction surveys only takes place if you have given the appropriate consent or if there is some other legal basis which allows advertising and/or marketing messages without consent. Insofar as this is permitted by law, we reserve the right to contact customers for advertising purposes using data in the public domain and/or the address data of third parties who extract this from public sources (e.g. data from directory media, the internet, company homepages, public records or the like).

• Explicit consent pursuant to Article 6 (1) letter a GDPR forms the legal basis for advertising and/or marketing measures; the comments on consent under subsection IV.4 apply accordingly.

• Article 6 (1) letter f. GDPR (legitimate interests) forms the legal basis for any use of personal data for the purpose of direct advertising by letter post; the legitimate interest here lies in contacting potential customers for the purpose of the direct advertising of our products and services.

• Section 7 (2) No. 2 UWG forms the legal basis for telephone advertising and/or marketing measures; this requires in the case of consumers their explicit consent, in the case of other market participants at least presumed consent; for the requirement of explicit consent, see above and subsection IV.4.

• Section 7 (3) UWG forms the basis for advertising and/or marketing measures via e-mail for the purpose of the direct advertising of our own similar goods or services, provided that we (i) have obtained your e-mail address in connection with the sale of a good or service, (ii) you have not objected to the use of your e-mail address for the purpose of direct advertising and (iii) we have informed you clearly when we collected and every time we use the e-mail address that you can opt out of such use of your e-mail address at any time (for the right to opt out see subsection IX.6). Any storage and use of personal data for the purpose of advertising takes place, dependent on the respective legal basis for the advertising measure (consent or legitimate interests) for an indefinite period of time until you object to the use of your data for the purpose of advertising or you have withdrawn your consent to this. You have the right to object at any time to the processing of your data on the basis of a balancing of interests or in the public interest, if there are grounds relating to your particular situation. This also applies to any profiling based on this provision. If you object, we will no longer process your personal data, unless we can provide proof of compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the enforcement, exercising or defence of legal rights. We also process your personal data for direct advertising purposes. If you do not want to receive any advertising, you have the right to object to this at any time; this also applies for profiling, insofar as it is related to such direct advertising. We will respect this objection with effect for the future. The objection can be made in any form and should be addressed to: In the event of your withdrawal or objection, the personal data will no longer be processed for the purposes concerned; this will not apply wherever processing of data is still necessary for the purpose of contract fulfilment (Article 6 (1) letter b GDPR) including statutory retention requirements and/or if the data is still needed for the purpose of legitimate interests (Article 6 (1) letter b GDPR) (e.g. if you opt out of advertising, the processing of data in a so-called blacklist in order to prevent future advertising messages). We would be happy to provide you with further information on our use of data for marketing purposes and/or the sources of our data upon request; please contact our Data Protection Officer, whose contact details can be found in Section II.

 

3. Press and public relations

In the area of press and public relations, we collect and process master data, contract performance data or third-party data from journalists and/or media representatives for the purpose and press and public relations. This may include in particular the provision of press releases, the handling of press enquiries, messaging media representatives the organisation or invitation to (press) events. Article 6 (1) letter b GDPR (contract fulfilment / implementation of precontractual measures) forms the legal basis for such processing, if this takes place for the fulfilment of a corresponding agreement and/or in relation to a specific enquiry. Data processing also takes place for the purpose of legitimate interests pursuant to Art. 6 (1) letter f GDPR; a legitimate interest lies here in the organisation of press and public relations for the benefit of the brands of the C4E Group.

IX. Rights of the data subject

Under the GDPR, the user has in particular the following data subject rights:

 

1. Right to information (Article 15 GDPR)

You have the right to request information on whether or not we process personal data concerning you. If our company processes personal data concerning you, you are entitled to information on

• the purposes for which the data is processed;

• the categories of personal data (type of data) processed;

• the recipients, or categories of recipients, to whom your data has been disclosed or is yet to be disclosed; this applies in particular if data has been disclosed, or is to be disclosed, to recipients in third countries where the GDPR does not apply;

• the planned storage period, insofar as possible; if it is not possible to specify the storage period, the criteria for defining the storage period (e.g. statutory retention periods or the like) will be communicated in each case;

• your right to rectification and erasure of the data concerning you, including the right to have processing restricted and/or the option of objection (see also the following subsections in this respect);

• the existence of a right to complain to a supervisory authority;

• the origin of the data in the case of personal data not collected directly from you. Furthermore, you are entitled to information on whether your personal data is the subject-matter of an automated decision as defined by Article 22 GDPR, and, if so, upon what decision-making criteria such an automated decision decision is based (logic), and what effects and implications this automated decision could have for you. If personal data is transmitted to a third country where the GDPR does not apply, you are entitled to information on whether and, if so, under what guarantees an adequate level of protection, within the meaning of Articles 45 and 46 GDPR, is ensured at the data recipient in the third country. You have the right to demand a copy of your personal data. Data copies will be made available by us in electronic form, unless you have specified otherwise. The first copy will be free of charge; an appropriate fee may be requested for further copies. The provision is subject to the rights and freedoms of other persons who may be affected by the transfer of the data copy.

 

2. Right to rectification (Article 16 GDPR)

You have the right to request that we rectify your data if this data is inaccurate, incorrect and/or incomplete; this right to rectification includes the right to make your data complete by means of supplementary statements or notifications. Rectification and/or supplementation will take place promptly, i.e. without culpable delay.

 

3. Right to erasure (Article 17 GDPR)

You have the right to demand that we erase your personal data if

• your personal data is no longer needed for the purposes for which it was collected and processed;

• the data is being processed on the basis of consent given by you, and you have withdrawn your consent, unless there is some other legal basis for the data processing;

• you have objected to the data processing pursuant to Article 21 GDPR, and no overriding legitimate reasons for continued processing exist;

• you have objected to data processing for the purpose of direct advertising pursuant to Article 21 (2) GDPR;

• your personal data has been processed unlawfully;

• the data concerned is a child's data collected in connection with information society services pursuant to Article 8 (1) GDPR. There will be no right to erase personal data if

• the right to freely express an opinion, or the right to information, conflicts with the request to erase;

• the processing of personal data is (i) necessary for compliance with a legal obligation (e.g. statutory retention requirements), (ii) for the performance of public tasks, or the protection of public interests, under European Union law and/or the law of its Member States (this includes interests in the field of public health) or (iii) for archiving and/or research purposes;

• the personal data is necessary for asserting, exercising or defending legal claims. The erasure will take place promptly, i.e. without culpable delay If we have made personal data public (e.g. on the Internet), we shall, insofar as this is technically possible and can be reasonably expected, ensure that third-party data processors are also informed of the request to erase, including the erasure of links, copies and/or replications.

 

4. Right to restriction of processing (Article 18 GDPR)

You have the right to have the processing of your personal data restricted in the following cases:

• If you have disputed the accuracy of your personal data, you may request of us that, whilst the accuracy is being checked, your data not be used for other purposes and be restricted in this respect.

• If your data is processed unlawfully, you may request instead of the erasure of your data pursuant to Article 17 (1) letter d GDPR, the restriction of the use of your data pursuant Article 18 GDPR.

• If you need your personal data to assert, exercise or defend legal claims, but your personal data is otherwise no longer needed, you may request that we limit processing to the aforementioned legal defence purposes.

• If you have objected to data processing pursuant to Article 21 (1) GDPR, and it has not yet been established whether our interests in processing outweigh your interests, you may request that, whilst this is being checked, your data not be used for other purposes and be restricted in this respect. Personal data whose processing has been restricted at your request will, except for storage, be processed only (i) with your consent, (ii) for asserting, exercising or defending legal claims, (iii) for protecting the rights of other natural persons or legal entities or (iv) for reasons of important public interest. If a processing restriction is lifted, you will be informed of this.

 

5. Right to data portability (Article 20 GDPR)

Subject to the following provisions, you have the right to request that the data concerning you be surrendered in a commonly used electronic, machine-readable data format. The right to data portability includes the right to transmit the data to another data controller. On request, we shall therefore - insofar as technically possible - transmit data directly to a data controller designated, or yet to be designated, by you. The right to data portability applies only to data provided by you and requires that the processing takes place on the basis of consent or for the performance of a contract and be carried out with the aid of automated procedures. The right to data portability pursuant to Article 20 GDPR does not affect the right to data erasure pursuant to Article 17 GDPR. The data transfer is subject to the rights and freedoms of other persons whose rights may be affected by the data transfer.

 

6. Right to object (Article 21 GDPR)

If personal data is processed for the performance of tasks that are in the public interest (Article 6 (1), letter e GDPR) or for the protection of legitimate interests (Article 6 (1), letter f GDPR), you may at any time, with effect for the future, object to the processing of personal data concerning you. If you exercise your right to object, we will refrain from all further processing of your data for the aforementioned purposes, unless

• the reasons for processing are compelling and worthy of protection and outweigh your interests, rights and freedoms, or

• processing is necessary for asserting, exercising or defending legal claims. You may at any time, with effect for the future, object to the use of your data for the purpose of direct advertising; this also applies for profiling, insofar as it relates to direct advertising. If you exercise your right to object, we will refrain from all further processing of your data for the purpose of direct advertising.

 

7. Prohibition of automated decisions / profiling (Article 22 GDPR)

Decisions that have a legal consequence for you or significantly affect you will not be based exclusively on automated processing of personal data, including profiling. This will not apply if the automated decision • is necessary for the conclusion or performance of a contract with you;

• is permissible under legal provisions of the European Union or its Member States, insofar as these legal provisions contain appropriate measures for protecting your rights, freedoms and legitimate interests, or

• is made with your express consent. Decisions based exclusively on automated processing of particular categories of personal data are generally not permitted, unless Article 22 (4) in conjunction with Article 9 (2), letter a or letter g GDPR apply and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.

 

8. Legal protection options / right to complain to a supervisory authority

If you have any complaints, you may contact the relevant supervisory authority of the European Union or its Member States at any time. For our company, the supervisory authority specified in Section II is the relevant supervisory authority.

 

X. Amendments to the Privacy Statement

We reserve the right to amend the Privacy Statement at irregular intervals and will inform you of all material amendments which affect the use of your personal data. You can view the current version under the “Privacy” link on our websites.