Data privacy settings

We use cookies and other technologies (“Tools”) by means of which we read out / store information on your end device and process your personaldata.  Insofar as you grant us consents for these purposes, we will process this information and these data to analyze usage and also for marketing purposes.  In the process, data will also be transmitted to service providers.  To the extent personal data are transferred to third countries, there is the risk that local authorities may access and analyze said data, and also that your rights as a data subject may not be enforceable.  By clicking on “allow all” you will consent to the accessing, respectively storing, of information on the end device, to the processing of your personal data, as well as to the transfer of your data to third countries.  You may revoke the consents you have granted at any time. You will find additional details on this topic in our Privacy Notice.
Settings
Refuse optional toolsAllow all

Privacy Notice

With the present Privacy Notice, we wish to inform you about the processing of personal data and about the access taken to information on your end device and storage of information on it during usage of our elvah Hub Platform (referred to hereinbelow simply as the “Platform”), which is available at www.elvah.de.

1. Controller and contact partner

The following is the designated contact partner and party known as the “controller” within the meaning of the General Data Protection Regulation (GDPR) for purposes of processing your personal data while you visit and use the Platform:

elvah GmbH
Brüsseler Platz 1
45131 Essen, Germany

Tel.: +49 2641 8939580

Fax: +49 2641 8939589

Email: info@elvah.de

Contact data of the Data Protection Supervisor

PROLIANCE GmbH
Leopoldstr. 21
80802 Munich, Germany

www. datenschutzexperte.de
Email: datenschutzbeauftragter@datenschutzexperte.de

If you have any questions on the topic of data privacy in connection with the services we offer on our Platform, you are welcome to also consult our Data Protection Supervisor at any time.  When contacting the Data Privacy Supervisor, please specify the enterprise to which your enquiry pertains.  Please avoid including sensitive information in your enquiry (e.g. a copy of an ID document).

2. Data processing on our Platform

2.1 Registration

You have the option to register with an account for our login area so as to be able to use the full scope of functions of our Platform.  We have highlighted the data which you must mandatorily provide by marking them as required fields.  If you do not provide these data, you will not be able to register.  The following data may be processed in connection with the registration:

  • First name, last name;
  • Email address;
  • Password;
  • Name of the enterprise;
  • Telephone number (optional);
  • Electric Vehicle Supply Equipment (EVSE) ID – country code and operator ID (optional);
  • The time & date of your registration and the IP address you used in the process.

The legal basis for processing the data necessary for registration (required fields) is Article 6 (1) (b) of the General Data Protection Regulation.  For all other data, the legal basis is our legitimate interest, as provided for in Article 6 (1) (f) of the General Data Protection Regulation, in making the registration process as user-friendly as possible and in adapting our service to the needs of users.  We use the data provided exclusively to make your account available and to administer it, as well as for related purposes such as communicating with you in the context of contractual performance or providing relevant information about our Platform.

We also offer you the option of registering on our Platform via your Microsoft account or Google account.  These registration services are made available by the respective third-party providers.  If you make use of this function, you will be routed to the site of the third-party provider concerned, where you can then register with your login data.  In the process, certain personal data (e.g. your name, email address, and, as the case may be, additional profile data and technical information) will be transmitted to us from your account with the respective third-party provider.  We will use these data exclusively for identification purposes and to administer your user account.  The legal basis for this processing is Article 6 (1) (b) of the General Data Protection Regulation, since the data in question are necessary for performing the contract.

2.2 Subscribing to the newsletter

You will have the option to subscribe to our newsletter when registering, as well as through other channels.

We use the so-called “double opt-in” method for newsletter subscribers, i.e. we will not email newsletters to you until you confirm that you are the owner of the stated email address by clicking a corresponding link in our notification email.  Assuming you confirm your email address, we will then save your email address, the time and date of your subscription, along with the IP address you used to subscribe, until such time as you unsubscribe from the newsletter.  This storage serves the sole purpose of enabling us to send you the newsletters and to verify your subscription.

The legal basis of the processing is the consent you have granted in accordance with Article 6 (1) (a) of the General Data Protection Regulation.  You may withdraw this consent at any time with future effect by unsubscribing from the newsletter.  A corresponding cancellation link is included in every newsletter.  Sending a notification using the contact data provided above also will suffice.  In our newsletters, we use technologies that are customary for the market and that enable us to measure interactions with the newsletters (e.g. whether the email is opened, which links are clicked on).  We use these data in pseudonymized form for general statistical analysis and to optimize and further develop our content and communications with our customers.  The data are collected exclusively in pseudonymized form; they will not be linked with your other personal data.

2.3 Booking data and payment data

If you book fee-based services on the Platform, we will process the following data for this purpose:

  • Booking number;
  • Details of the booking;
  • Billing address;
  • IBAN and BIC, or the account number and bank routing code;  
  • Credit card data;
  • Credit rating data.

Since these data are necessary for performing the contract, the legal basis for the processing, insofar as personal data are involved, is Article 6 (1) (b) of the General Data Protection Regulation.

2.4 Use of the Platform

At elvah, improving and further developing the elvah Hub platform is an ongoing, continual process to ensure we provide our customers with functions and services that meet their needs.  As part of this development work, we monitor system security, manage the network infrastructure, and optimize and implement any features provided on request of our customers or in order to support them.  For these purposes, we collect, process, and analyze data about usage patterns on the elvah Hub.  These data allow us to customize the platform to meet customer requirements and ensure an optimal user experience.

In this context, we collect information about interactions with the platform (e.g. pages visited, links clicked on, duration of stay, navigation paths) and technical data (e.g. device type, browser type, IP address, and location data derived therefrom).  We deploy cookies and similar technologies for the analysis of the data.  To achieve the purposes set out above, we use the Mixpanel analysis tool.  The service is provided by Mixpanel, Inc., One Front Street, Floor 28, San Francisco, CA 94111, USA.  Mixpanel processes your data in compliance with the EU-U.S. Data Privacy Framework, meaning that the secure data transfer from the European Union to the United States is ensured.  In addition, Mixpanel uses what are known as standard contractual clauses (SCC) as provided for in Article 46 (2) and (3) of the General Data Protection Regulation.  These clauses ensure that even if your data are processed in third countries (such as the USA), this will be done in accordance with European data protection standards.

The collected data are processed in aggregated form and used exclusively to fulfill the purposes mentioned above.  They are not analyzed with regard to the individuals to which they pertain.  In order to provide our users with the services offered in the elvah Hub in keeping with the stipulations of the General Terms and Conditions, to ensure secure operations, and to continuously develop them further, it is absolutely indispensable for us to collect and process usage data.  Were we not to process these data, it would not be possible to render the performance contractually agreed.  The legal basis for this processing is the requirement of performing the contract in accordance with Article 6 (1) (b) of the General Data Protection Regulation.

3. Deployment of tools on the Platform

3.1 Technologies deployed

The Platform uses various services and tools (collectively referred to as “Tools”) which are offered either by us or by third parties.  These specifically include Tools employing technologies in order to access or store information on the end device:

  • Cookies: Information stored on the end device and specifically consisting of a name, a value, the storing domain, and an expiry date.  Cookies known as “session cookies” (e.g. PHPSESSID) are deleted after the session, whereas so-called “persistent cookies” are deleted after the specified expiry date.  Cookies may also be removed manually.
  • Web storage (local storage / session storage): Information stored on the end device and consisting of a name and a value.  The information in session storage is deleted after the respective session, whereas information in local storage does not have an expiry date and in principle will remain stored unless a mechanism to delete it has been put in place (e.g. local storage with entry of a date).  Information in local storage and session storage may also be removed manually.
  • JavaScript: Programming codes (scripts) that are retrieved or embedded on the website and which serve, for example, to set cookies and web storage or to actively collect information from the end device or about the visitor’s usage behavior.  Under certain circumstances, JavaScript may be deployed for “active fingerprinting” and to create usage profiles.  JavaScript can be blocked through a browser setting, but this will cause most services to stop working.
  • Pixel: A tiny graphic automatically uploaded from a service which may make it possible to recognize visitors by automatically transmitting the customary connection data (particularly the IP address, browser info, operating system, language used, address retrieved, and time and date of retrieval), as well as to determine, for example, whether an email has been opened or a website has been visited.  Pixels may sometimes be used in this way to perform “passive fingerprinting” and to create usage profiles.  The use of pixels can be prevented through the blocking of images, for example (say in emails), but this severely limits what can be displayed.

The use of these technologies, as well as merely connecting to a website, may make it possible to create so-called “fingerprints,” i.e. usage profiles which can still recognize visitors even though they dispense with cookies or web storage.  It is not possible manually to fully prevent fingerprints from being created as the result of a connection.

Most browsers feature standard settings allowing them to accept cookies, run scripts, and display graphics.  However, you generally will still be able to adjust your browser settings so as to reject all or certain cookies and to block all or certain scripts and graphics.  If you fully block the storage of cookies, the display of graphics and the running of scripts, our services are likely to function improperly or to stop working altogether.  

The Tools which we deploy are listed by category below, whereby we specifically inform you about the Tools’ respective provider, about the duration of storage of cookies or information in local and session storage, and about the disclosure of the data to third parties.  We also explain the specific cases in which we obtain your voluntary consent to our using the Tools and how you can withdraw such consent.

3.2 Legal basis and withdrawal of consent

3.2.1 Legal basis

We use Tools required to operate the Platform on the basis of our legitimate interest pursuant to Article 6 (1) (f) of the General Data Protection Regulation, namely to make the basic functions of our Platform available.  In certain cases, these Tools may also be necessary in order to perform a contract or to implement pre-contractual measures; in such cases, processing occurs in accordance with Article 6 (1) (b) of the General Data Protection Regulation.  Accessing and storing information on the end device is absolutely essential in these cases and occurs on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (2) of the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG, Act on Data Protection and Personal Privacy in Telecommunications and Digital Services).

All other, non-essential (optional) Tools serving to enable auxiliary functions are used by us on the basis of your grant of consent in accordance with Article 6 (1) (a) of the General Data Protection Regulation.  The information is then accessed and stored on the end device on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (1) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.  Data are processed with the aid of these Tools only if we have received your prior consent for this purpose.

Insofar as a transfer of personal data to third countries takes places, we refer you to Clause 5 (“Data transfers to third countries”), also with respect to the associated risks.  We will inform you when an adequacy decision exists for the third country concerned or if Standard Contractual Clauses or other guarantees have been agreed for the usage of certain Tools.  If you have granted consent to the usage of certain Tools and to the concomitant transfer of your personal data to third countries, then, in accordance with Article 49 (1) (a) of the General Data Protection Regulation, we will transfer the data processed in connection with the Tools’ usage to third countries (also) on the basis of this consent.

3.2.2 Withdrawing your consent or changing your selection

You may withdraw your consent to certain Tools – i.e. to having your information stored and accessed on the end device, to having your personal data processed and having it transferred to third countries – at any time with future effect.  Please click on the Cookie button on the website for this purpose.  This is also where you can change your selection of the Tools to which you wish to consent and can find additional information on the Tools used.  Alternatively, you can declare your withdrawal for certain Tools directly vis-à-vis the provider.

3.3 Essential Tools

We use certain Tools in order to enable the basic functions of our Platform (“Essential Tools”).  These include, for example, Tools for preparing and displaying Platform content or for providing payment-settlement services.  Without these Tools, we could not make our service offer available.  Therefore, Essential Tools are used without any consent.

The legal basis for Essential Tools is their necessity for fulfilling our legitimate interests pursuant to Article 6 (1) (f) of the General Data Protection Regulation, namely to provide the respective basic functions and to operate our Platform.  Where providing the respective functions is necessary for performing a contract or for implementing pre-contractual measures, the legal basis for the data processing is Article 6 (1) (b) of the General Data Protection Regulation.  Accessing and storing information on the end device is absolutely necessary in these cases and occurs on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (2) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.

For the eventuality that personal data are transferred to third countries, we refer you to Clause 5 (“Data transfers to third countries”) as a supplement to the information provided below.

3.3.1 Own Tools

We use Essential Tools of our own which serve to access information on the end device or to store information on the end device, particularly for purposes of:

  • Login authentication;
  • Load distribution;
  • Storing your language settings.

3.3.2 Stripe

Insofar as we settle payments, we use the services of Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (“Stripe”).

Stripe is an external payment service provider whose services we employ in order to accept and process payments made for our account.  To this end, Stripe also deploys JavaScript and cookies.  We do not save any personally identifiable data or financial information such as credit card numbers in this context.  Instead, the payment data (particularly contact and transactions data such as credit card or banking data) are forwarded directly to Stripe.

Stripe processes the data also in order to identify and prevent improper financial transactions, to implement legal requirements in the financial sector, as well as to analyze, further develop, and improve its products.  This processing of your personal data by Stripe has been provided for in its Privacy Notice: https://stripe.com/privacy.

The data processed through cookies and other technologies particularly includes communications data (IP address, device identifier, browser version, operating system information).  In order to prevent and identify fraud, Stripe sets the following cookies with the storage duration set out below, and subsequently reads them out:

  • “__stripe_mid” (1 year);
  • “__stripe_sid” (30 minutes);
  • “m” (2 years).

The legal basis is Article 6 (1) (b) of the General Data Protection Regulation, the objective being to perform a payment in the context of a contract with you, and in all other regards, Article 6 (1) (f) of the General Data Protection Regulation, whereby the deployment of an external payment services provider is based on our legitimate interest in being able to offer you Stripe as an added payment option.

We have concluded a commissioned data-processing agreement with Stripe Payments Europe Ltd.  Stripe Payments Europe Ltd. may also transfer your personal data to Stripe Inc., Corporation Trust Center, 1209 Orange Street, Wilmington, New Castle, DE 19801 in the United States.  Stripe Inc. has acceded to the EU-U.S. Data Privacy Framework, which means that, pursuant to Article 45 of the General Data Protection Regulation, the transfer in this case will occur on the basis of the adequacy decision adopted for the United States.

You will find additional information in the Privacy Notice of Stripe: https://stripe.com/privacy.

3.4 Functional Tools

In addition, we use optional Tools in order to improve the user experience on our Platform and to be able to offer you more functions (“Functional Tools”).  While these are not absolutely essential for the website’s basic functions, they can still provide benefits to the user, particularly in terms of user friendliness.

The legal basis for the Functional Tools is the consent you have granted in accordance with Article 6 (1) (a) of the General Data Protection Regulation.  The information is then accessed and stored on the end device on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (1) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.  For withdrawal of your consent, see Clause 3.2.2: “Withdrawing your consent or changing your selection.”

For the eventuality that personal data are transferred to third countries, we refer you to Clause 5 (“Data transfers to third countries”) as a supplement to the information provided below.

3.4.1 HubSpot

Our website uses services of the provider HubSpot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland (“HubSpot”), namely for marketing and distribution purposes.

The following cookies are set by HubSpot in order to make the basic functionality available:

  • “_hs_opt_out” (6 months): implements cookie-consent management;
  • “_hs_initial_opt_in” (6 months): implements cookie-consent management;
  • “_cfduid” (30 days): a security and performance cookie from the CDN provider Cloudflare to prevent improper use;
  • “_cfruid“ (session): a security and performance cookie from the CDN provider Cloudflare to measure and reduce traffic;
  • “messagesUtk” (6 months): recognizes visitors in the context of live chats;
  • “hs_messages_is_open” (30 minutes): records whether the chat widget of the live chat is open;
  • “hs-messages-hide-welcome-message” (1 day): records whether the welcome message already has been displayed.

The following cookies are also set for usage analysis by HubSpot:

  • “_hstc” (180 days): a tracking cookie with information on user recognition, on the time stamp of the first, last and current session, as well as on the number of sessions;
  • “_hssc” (30 minutes): a tracking cookie for tracking the sessions;
  • “_hssrc” (session): a tracking cookie for identifying a browser restart;
  • “hubspotutk” (180 days): recognizes returning visitors.

For more information about cookies, we refer you to the website of HubSpot: https://knowledge.hubspot.com/de/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser, as well as to the website of Cloudflare: https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies.

The following information is stored in local storage:

  • “__hmpl”: visitor preferences and interactions with web campaigns;
  • “HUBLYTICS_EVENTS_53”: a personalized counter for playing out advertisements.  

The legal basis for this data processing is the consent you have granted in accordance with Article 6 (1) (a) of the General Data Protection Regulation.  The information is then accessed and stored on the end device on the basis of those laws that serve implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (1) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.

We have concluded a commissioned data-processing agreement with HubSpot.  HubSpot Ireland Limited may also transfer your personal data to HubSpot Inc., Two Canal Park, Cambridge, MA 02141 in the United States.  HubSpot Inc. has acceded to the EU-US Data Privacy Framework, meaning that, pursuant to Article 45 of the General Data Protection Regulation, the transfer will in this case occur on the basis of the adequacy decision adopted for the United States.

For additional information, we refer you to the Privacy Policy of HubSpot: https://legal.hubspot.com/privacy-policy.

3.5 Marketing Tools

We also use optional Tools for advertising purposes (“Marketing Tools”).  Some of the access data that accrue during usage of our website are used to create usage profiles which specifically record your usage behavior, the advertisements you have viewed or clicked and, on this basis, the advertisement categories, interests, and preferences for your profile.  Analyzing and evaluating these access data allows us to show you personalized advertisements – i.e. ones which correspond to your actual interests and needs – on our website and on the websites and services of other providers.  In the process, we also analyze your usage behavior in order to recognize you on other websites and to engage with you in personalized fashion based on your usage of our website (this is known as “retargeting”).  In addition, we assess the efficacy and success of our advertising campaigns (particularly “conversions” and “leads”).

The legal basis for the Marketing Tools is the consent you have granted in accordance with Article 6 (1) (a) of the General Data Protection Regulation.  The information is then accessed and stored on the end device on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (1) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.  For withdrawal of your consent, see Clause 3.2.2: “Withdrawing your consent or changing your selection.”

For the eventuality that personal data are transferred to third countries, we refer you to Clause 5 (“Data transfers to third countries”) as a supplement to the information provided below.

Below, we wish to provide you with a fuller explanation of the Tools and of the providers deployed to this end.  The data collected may include the following in particular:

  • IP address of the device;
  • Information found in a cookie and in local or session storage;
  • Device recognition data of mobile devices (e.g. device ID, advertising ID);
  • Referrer URL (the website visited directly prior);
  • Webpages called up (date, time, URL, title, time spent on the page);
  • Files downloaded;
  • Links to other websites that were clicked;
  • Depending on circumstances, performance in attaining certain targets (conversions);
  • Technical information: operating system; type, version and language of the browser; type, brand, model and resolution of the device;
  • Approximate location (country and, if applicable, town).

The collected data are stored exclusively in pseudonymous form, however, so that no direct conclusions can be drawn about the persons to whom they relate.

3.5.1 LinkedIn Insight Tag

Our Platform uses the LinkedIn Insight Tag service, which is offered for persons from the European Economic Area (EEA) and Switzerland by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, and for all other persons by LinkedIn Corporation, 2029 Stierlin Ct. Ste. 200 Mountain View, California 94043, United States (jointly referred to as “LinkedIn”).

This enables us to collect statistical data about your visit and the usage of our website, and also to evaluate said data.  This in turn allows us to show you relevant offers, recommendations, and advertisements on LinkedIn that are derived from, and relevant to, your interests (retargeting).  An analysis of the efficacy of the advertisements (conversion tracking) is also performed in the process.  LinkedIn uses cookies, pixels, and JavaScript for this purpose.

The following cookies are set and read out by LinkedIn:

  • “lang” (session): records the language setting;
  • “lidc” (24 hours): optimizes the selection of a data center;
  • “lissc” (1 year): a cookie that causes all the cookies in the browser to use the same SameSite attribute;
  • “bcookie” (365 days): prevents improper usage;
  • “UserMathHistory” (30 days): analyzes usage, synchronizes the IDs with LinkedIn Ads;
  • “li_gc” (180 days): records the user’s grant of consent;
  • “AnalyticsSyncHistory” (30 days): performs storage in order to synchronize information on LinkedIn members.

For further information on cookies, please navigate to: https://www.linkedin.com/legal/l/cookie-table.

The legal basis for this data processing is the consent you have granted in accordance with Article 6 (1) (a) of General Data Protection Regulation.  The information is then accessed and stored on the end device on the basis of the laws that serve to implement the ePrivacy Directive in the EU Member States; in Germany, this is section 25 (1) of the Act on Data Protection and Personal Privacy in Telecommunications and Digital Services.

Insofar as you are logged into LinkedIn while you visit our website, LinkedIn can link up the collected information with your member account and use it for the targeted placement of advertisements on LinkedIn.  You can inspect your privacy settings on LinkedIn under the following Link: https://www.linkedin.com/psettings/enhanced-advertising.

We have concluded a commissioned data-processing agreement with LinkedIn.  LinkedIn Ireland Unlimited Company may also transfer your personal data to LinkedIn Corporation in the United States.  To this end, we have concluded Standard Contractual Clauses with LinkedIn Corporation (Commission Implementing Decision (EU) 2021/914, Module 2) in accordance with Article 46 (2) (c) of the General Data Protection Regulation.

For additional information, we refer you to the Privacy Policy of LinkedIn: https://www.linkedin.com/legal/privacy-policy.

4. Disclosure of data to third parties

As a matter of principle, the data we collect will be disclosed to third parties only if a legal basis for doing so exists under data protection law in the specific case; in particular if:

  • You have granted your express consent to such a disclosure pursuant to Article 6 (1) (a) of the General Data Protection Regulation;
  • The disclosure is necessary, as stipulated in Article 6 (1) (f) of the General Data Protection Regulation, in order to assert or exercise legal claims or to defend against them and there is no reason to assume that you have a preponderant interest meriting protection in not having your data disclosed;
  • We are legally obligated, under Article 6 (1) (c) of the General Data Protection Regulation, to disclose the data, particularly when this is necessary for purposes of pursuing or enforcing legal actions due to enquiries from the authorities, or due to court decisions or legal proceedings.
  • The disclosure is legally permissible and is necessary, pursuant to Article 6 (1) (b) of the General Data Protection Regulation, in order to perform any contractual relationships with you, or to implement pre-contractual measures which you have requested.

A portion of the data processing may be performed by our service providers.  Besides the service providers specified in the present Privacy Notice, these may also specifically include: EDP centers that store our website and databases; software providers and IT service providers who maintain our systems; agencies; market-research enterprises; affiliate enterprises of our corporate group; as well as consulting enterprises.  Insofar as we disclose data to our service providers, they will be authorized to use the data exclusively for purposes of fulfilling their respective tasks.  We have taken care in selecting and commissioning said service providers.  They are contractually bound to follow our instructions, they dispose over appropriate technical and organizational safeguards to protect the rights of data subjects, and they are monitored by us on a regular basis.

5. Data transfers to third counties

As explained in the present Privacy Notice, we deploy services from providers who may sometimes have their seats in so-called “third countries” (outside the European Union or European Economic Area, respectively) or who may process personal data in such “third countries,” i.e. countries in which the level of data privacy does not correspond to that given in the European Union.  Insofar as this applies and the European Commission has not adopted an adequacy decision for the relevant country (as per Article 45 of General Data Protection Regulation), we have put in place corresponding safeguards to ensure an appropriate level of data privacy for any data transfers.  These include, amongst others, the Standard Contractual Clauses of the European Union and binding internal data privacy regulations.

Where this is not possible, we base the data transfers on the exceptions defined under Article 49 of the General Data Protection Regulation, particularly your express grant of consent or the need to transfer the data for purposes of performing a contract or implementing pre-contractual measures.

Insofar as a transfer to a third country is envisioned and no adequacy decision or appropriate guarantees are in place, it is possible and there is the risk that authorities in the third country concerned (e.g. intelligence services) could obtain access to the transferred data so as to capture and analyze it, and that it will be impossible to guarantee the enforceability of your rights as data subject.  You will be advised of this risk when we obtain your consent via the consent banner.

6. Duration of storage

As a matter of principle, we store personal data only for as long as necessary to fulfill the purposes for which we collected the data.  After that, we will delete the data without undue delay, except in cases in which we need to retain them for evidentiary purposes in connection with civil-law claims until expiry of the statutory prescription period, or in order to fulfill statutory archiving obligations, or in specific cases in which there is some other legal basis under data protection law for continuing to process your data.

We are specifically obligated to archive your data for evidentiary purposes for a further three years after the end of the year in which contractual relations with you have come to an end.  This is the earliest point in time at which any relevant legal claims will lapse under the normal statutory prescription period.

In some cases, we will have to store your data even longer than that for bookkeeping reasons.  We are required to do so by statutory documentation obligations which may result from the Handelsgesetzbuch (HGB, German Commercial Code), the Abgabenordnung (AO, Fiscal Code) Kreditwesengesetz (KWG, Banking Act), Geldwäschegesetz (GwG, Money Laundering Act) or Wertpapierhandelsgesetz (WpHG, Securities Trading Act).  The archiving periods for documents stipulated by these laws range from two to ten years.

7. Your rights, particularly to withdraw consent and object

Assuming the relevant legal requirements are met, you will be entitled to the rights of a data subject, as formulated in Article 7 (3) and Articles 15 to 21 of the General Data Protection Regulation:

  • The right to withdraw your consent (Article 7 (3));
  • The right to object to the processing of personal data concerning you (Article 21);
  • The right to receive information from us about personal data concerning you that is being processed by us (Article 15);
  • The right to obtain rectification of inaccurate personal data concerning you that is being stored by us (Article 16);
  • The right to obtain erasure of personal data concerning you (Article 17);
  • The right to obtain restriction of the processing of personal data concerning you (Article 18);
  • The right to receive personal data concerning you in a portable format (Article 20).

You may use the contact data provided above to assert any of the above-described rights at any time.  This also applies if you wish to obtain a copy of specific guarantees serving to document an adequate level of data privacy.  Insofar as the relevant legal requirements are met, we will honor your data-privacy-related request.

Your enquiries regarding the assertion of data privacy rights and our responses thereto will be archived for a period of up to three years for documentation purposes and, where the individual case so dictates, for an even longer period for purposes of asserting, exercising or defending legal claims.  The legal basis for this, pursuant to Article 6 (1) (f) of the General Data Protection Regulation, is our interest in defending against legal claims under Article 82 of the General Data Protection Regulation, in avoiding administrative fines under Article 83 of the General Data Protection Regulation, as well as in fulfilling our duty of accountability under Article 5 (2) of the General Data Protection Regulation.

You have the right to at any time withdraw a consent you have already granted to us.  This will result in our ceasing to perform any further data processing on the basis of said consent.  However, the withdrawal of consent will not prejudice the lawfulness of processing that has already occurred on the consent’s basis up until the time of the withdrawal.

Insofar as we process data concerning you on the basis of legitimate interests, you have the right to any time object to the processing of your data for reasons relating to your particular situation.  If the objection is directed against data processing for direct advertising purposes, you enjoy a general right to object that will be honored by us without any grounds having been stated.

If you wish to make use of your right to withdraw or object, sending a free-form notification to the aforementioned contact point will suffice.  

Finally, you have the right, under Article 77 of the General Data Protection Regulation, to lodge a complaint with a supervisory authority competent for data protection.  For example, you may assert this right vis-à-vis a supervisory authority in the Member State that is your place of sojourn, your place of work, or the location of the alleged breach.  In Essen, where we are domiciled, the competent supervisory authority is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (Commissioner for Data Protection and Freedom of Information of the Land of North Rhine-Westphalia), P.O. Box 200444, 40102 Düsseldorf, Germany.

8. Amendments to the Privacy Notice

We will update the present Privacy Notice from time to time, for instance when we make adjustments to our Platform or when there is a change in the applicable statutory or regulatory requirements.

Version: 2.0 / Effective as of: December 2024