Privacy Policy

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and this privacy policy, which informs you about the most important aspects of data processing in connection with our website.

I. Name and address of the controller

Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations)

Rudi-Dutschke-Strasse 17

10969 Berlin

Phone: +49 30 25800-0

Fax: +49 30 25800-518

info@vzbv.de

represented by

Klaus Müller (Executive Director)

II. Contacting the data protection officer

In the event that you have questions concerning data protection at the Federation of German Consumer Organisations, you may contact our data protection officer at any time using the following contact details Datenschutzbeauftragter des Verbraucherzentrale Bundesverbands (vzbv)

Rudi-Dutschke-Strasse 17

10969 Berlin

datenschutzbeauftragter@vzbv.de

III. General remarks concerning data protection
1. Scope in which personal data is processed

Our website can generally be used without providing personal data. As a matter of principle, we only process personal data of our users where this is necessary for the provision of a functional website as well as our contents and services.

2. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, the legal basis is Art. 6 para. 1 point a) EU General Data Protection Regulation (GDPR).

The legal basis for the processing of personal data for the performance of a contract or fulfilment of our services is Art. 6 para. 1 point b) GDPR. This applies also to processing that is carried out to take steps prior to entering into a contract.

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 para. 1 point d) GDPR.

We set out the relevant legal basis for the processing of personal data in each of the processing operations described below.

3. Data erasure and duration of storage

The personal data of the data subject will be erased or blocked as soon as the purpose of their storage no longer applies. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless continued storage of the data is necessary to enter into a contract or for the performance of a contract.

The erasure period will be specified in connection with processing operations to which an erasure period applies.

4.  Cooperation with processors and third parties

In the event that we transfer data to other persons and enterprises (processors or third parties) or otherwise grant them access to the data in connection with our data processing, this shall only take place on the basis of legal permission, your consent, a legal obligation, for the fulfilment of contractual relationships with you or if we have a legitimate interest in the transfer of data (e.g. when using authorised representatives or web hosting providers, etc.). Where we commission third parties with the processing of data within the framework of a “Data Processing Agreement”, this shall take place on the basis of Art. 28 GDPR.

5. Data security

We use the common SSL technology (Secure Socket Layer) on our website in connection with the highest encryption level supported by your browser in each case. This is usually 256-bit encryption. We revert to 128-bit v3 technology in the event that your browser does not support 256-bit encryption. You can tell whether a page on our internet presence is transferred in an encrypted form by the presence of a key or padlock symbol in the lower status bar of your browser. We otherwise implement suitable technical and organisational security measures to protect your data against coincidental or wilful manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are improved continuously in line with the state of the art.

6. Profiles on social media

It has been established by the highest courts that the operators of profiles, also association profiles, in social media are jointly responsible with the network operator for data processing in connection with these profiles.

We operate association profiles on social networks and platforms to communicate with interested persons and users who are active there and to inform them about our services. The privacy policies issued by the respective operators of the social networks and platforms apply when their services are accessed.

Except where otherwise stated in our privacy policy, we process the data of users insofar as they communicate with us on the social networks and platforms, i.e. they post comments on our internet presences or send us messages.

IV. Provision of the website and creation of log files
Scope in which personal data is processed

The browser used on your device automatically sends information to our website servers when you access our website at www.vzbv.de. This information is temporarily stored in a log file. The following information is collected without your involvement, stored and erased after 14 days, in special cases such as error notifications and warnings after 8 weeks at most:

  • browser type and version
  • operating system
  • referrer URL
  • IP address of the accessing computer
  • time of the server request

These data are processed by us for the following purposes:

  • to ensure the establishment of a smooth connection to the website;
  • to ensure convenient use of our website;
  • to evaluate system security and stability;
  • to prevent possible criminal offences; and
  • for other administrative purposes.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 point f) GDPR. The purposes of data processing listed in the foregoing constitute our legitimate interests. On no accounts do we use the collected data for the purpose of drawing conclusions about you personally. We also use cookies and analysis services when you visit our website. For more information in this regard, please refer to sections V and VIII of this privacy policy.

V. Use of cookies

Cookies are used in some instances on these internet pages. They are small text files that are generated automatically by your browser and are stored on your device (laptop, tablet, smartphone and similar) when you visit one of our pages. Cookies do not harm your device and do not contain viruses, Trojans or other forms of malware. Information is placed in the cookie that relates to your specific device in each case. This does not mean, however, that we obtain direct knowledge of your identity.

Cookies are used firstly to make using our services more pleasant for you. For instance, we use session cookies to detect that you have already visited pages of our website. They are deleted automatically when you leave our page and after 24 hours. We also use temporary cookies to optimise ease of use; they are stored on your device for a defined period.

By contrast, we do not use tracking cookies to log and analyse the movements of users and the internet usage habits of visitors. Section VIII of this privacy policy provides you with detailed information on our analysis methods.

The data processed by the cookies are necessary for the protection of our legitimate interest and the legitimate interest of third parties according to Art. 6 para. 1 sentence 1 point f) GDPR. Most browsers automatically accept cookies. You may adjust your browser settings so that you are notified when cookies are placed and either allow cookies only in individual cases, allow cookies only for certain cases or disable them altogether; you may also enable automatic deletion of cookies when closing the browser. The functions of this website may be restricted if you disable cookies. You may be unable to use all functions of our website if you disable cookies altogether.

VI. Email contact

You may contact us at the email address provided, namely info@vzbv.de. The user’s personal data that are transferred with the email will be stored in this case. The data will not be transferred to third parties when you contact us by email. The data will be used exclusively to process the conversation.

The legal basis for the processing of data that are transferred in connection with email communication is Art. 6 para. 1 point f) GDPR. Where the purpose of the email contact is the conclusion or performance of a contract, Art. 6 para. 1 point b) shall be the additional legal basis for processing.

Personal data from the email are processed solely to manage our contact with you. This represents our legitimate interest in the processing of data.

The data are erased as soon as the purpose for which they were collected no longer applies. This is the case in regard to the personal data that are sent by email when the specific conversation with the user is over. The conversation is deemed to be over when the circumstances indicate clearly that the matter in question has been clarified conclusively.

Users that make contact with us by email (e.g. datenschutzbeauftragter@vzbv.de) may object to the processing of their personal data at any time. We will be unable to continue the conversation in these cases. All personal data stored in connection with this establishment of contact will then be erased.

The tracking measures listed below and used by us are carried out on the basis of Art. 6 para 1 sentence 1 point f) GDPR. We use these tracking measures to ensure needs-based and continuous optimisation of our website. The purpose of the tracking measures is also to collect statistical data concerning the use of our website and to analyse these data in order to optimise our services for you. These interests must be considered legitimate according to the above regulation; no other purposes exist. The specific purposes of data processing and data categories are listed in the descriptions of the tracking tools.

Matomo

This website uses the open source web analytics service Matomo. Matomo enables us to evaluate user movements on vzbv.de for the purpose of improving our services in a manner that is compliant with data protection regulations. For this purpose, Matomo does not place cookies on the user’s computer. Instead it uses “fingerprinting” technology, which logs user movements on vzbv.de by means of pseudonymised IP addresses combined with the user’s browser settings. This technology enables the logging of visits and individual page views on vzbv.de, but does not permit any conclusions to be drawn about the identity of individual users. You can enable the Do-Not-Track function in your browser if you do not want your page views to be logged at all. Doing so is effective on vzbv.de and on all other pages visited by you.

You can also prevent logging of your page views on this website by using the following opt-out option. Kindly take note that a cookie will be placed on your system if you enable this option:

IX. Use of social media

In addition to our website, we are also active on social media and have integrated certain of these networks’ functions into our website. Users can share data, which enables us to address a broader audience via social networks. 

Social media and social networks are websites and apps used by registered members to create content, exchange content openly or in specific groups and network with other members.

The operators of the social media networks are generally responsible for data processing. Despite this, we would like to briefly explain how it works.

If you would like to exercise your rights as a data subject (e.g. obtain information), it is best to contact the relevant operator of these networks directly.

To ensure that the plugins are compatible with our of data protection and privacy standards, we use the “Shariff” solution developed by heise-online, which prevents the transmission of data to these networks that usually occurs when a page is accessed. On our website, user data is only transferred to social networks via the plugins once the user has given their consent by clicking one of the network buttons and activating the "Share" function.  The legal basis is Article 6, (1) 1 lit. f) of GDPR.

Twitter

Twitter is a microblogging service and a social media platform from Twitter Inc., One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.

Data will only be sent to Twitter and stored and processed there if you interact with the Twitter functions on our website, e.g. by clicking a button. We have no influence over and are not responsible for this data processing. Within the scope of the privacy policy, we nevertheless want to give you an overview of the data stored by Twitter, what Twitter does with this data and how you can protect yourself against data transmission as far as possible.

What is Twitter?

Twitter is a microblogging service.

Both private individuals and companies use Twitter to communicate with interested people by posting short messages. Twitter only allows 280 characters per message. These messages are called "tweets". You can also have an anonymous account on Twitter and tweets can be erased by both the company and by the users themselves.

Why do we use Twitter on our website?

We use Twitter to communicate with all interested consumers. We have grown to appreciate Twitter, in particular, as a useful “in brief” news service. We frequently tweet or retweet relevant and interesting consumer policy content. You can experience our Twitter activity “on site” – i.e. on Twitter – or you can access our Twitter page via a direct link. We have integrated this link to strengthen our service and make our website more user-friendly.

What data is stored by Twitter?

The built-in Twitter functions can be found on the website. If you interact with Twitter content, e.g. by clicking a button, Twitter can collect and save data, even if you don't have a Twitter account yourself. Twitter calls this data “log data”. This includes demographic data, browser cookie IDs, your smartphone ID, hashed e-mail addresses, information about the websites you have visited using Twitter and actions you have performed on the network. Twitter will of course store more data if you have a Twitter account and are logged in. This data is mainly stored using cookies. Cookies are small text files which are usually stored in your browser and send various information to Twitter.

Twitter uses the collected data to better understand user behaviour and thus improve its own services and advertising. The data is also used for internal security measures.

How long and where will the data be stored?

If Twitter collects data from other websites, it will be erased, summarised or otherwise concealed after a maximum of 30 days. The Twitter servers are located at various server centres in the United States. It can therefore be assumed that the data collected will be collected and stored in the USA. We were unable to clearly determine whether Twitter also has its own servers in Europe based on our research. In principle, Twitter can save the collected data until it is no longer useful to the company, you erase the data, or there is a statutory deletion period.

How can I erase my data or prevent data storage?

In its privacy policy, Twitter repeatedly emphasises that it does not save any data from external website visits if you or your browser are located in the European Economic Area or in Switzerland. However, if you interact with Twitter directly, Twitter will of course save your data.

If you have a Twitter account, you can manage your data by clicking “More” under the “Profile” button. Then click “Settings and privacy”. Here, you can manage the data processing for your account.

If you don't have a Twitter account, you can visit twitter.com and then click “Settings”. You can manage your personal collected data under the item “Personalisation and data”.

As already mentioned above, most of the data is stored using cookies and you can manage, deactivate or erase them in your browser.

You can also manage your browser so that you are informed about each individual cookie. You can then decide whether or not to allow a cookie in each case.

Twitter also uses the data for personalised advertising on its website and elsewhere. In the settings, you can switch off personalised advertising under “Personalisation and data". If you use Twitter on a browser, you can deactivate personalised advertising at http://optout.aboutads.info/?c=2&lang=EN.

Please note that when you use this tool, your data can also be stored and processed outside the EU. Most third countries (including the USA) are not considered secure under current European data protection law. Data to insecure third countries may not simply be transferred, stored and processed there unless there are suitable guarantees (such as EU standard contractual clauses) between us and the non-European service provider.

We hope we have given you a general overview of data processing by Twitter. We do not receive any data from Twitter and are not responsible for what Twitter does with your data. If you have any further questions about this topic, we recommend reading Twitter’s Privacy Policy at https://twitter.com/de/privacy.

YouTube

We have installed YouTube videos on our website. This enables us to show you interesting videos directly on our website. YouTube is a video portal that has been a subsidiary of Google since 2006. The video portal is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you access a page of our website with an embedded YouTube video, your browser automatically connects to the YouTube or Google servers. Various data is transmitted, depending on the settings. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe.

We would like to explain to you in more detail below what data is processed, why we have integrated YouTube videos and how you can manage and erase your data.

What is YouTube?

Users can watch, rate, comment and upload videos for free on YouTube. Over the past few years, YouTube has become one of the most important social media channels in the world. YouTube provides a code excerpt that we have built into our website so that we can display videos.

Why do we use YouTube videos on our website?

YouTube is the video platform with the most visitors. We strive to offer you the best possible user experience on our website. And relevant videos are of course an important element of this. With the help of our embedded videos, we can provide you with other helpful content in addition to our texts and images. Our website is also easier to find using the Google search engine thanks to the embedded videos.

What data is saved by YouTube?

As soon as you play a YouTube video which is integrated into our website, YouTube sets at least one cookie which saves your IP address and our URL. If you are logged into your YouTube or Google account at the same time, YouTube can usually link your interactions on our website to your profile using cookies. This includes data such as the session duration, bounce rate, approximate location and technical information e.g. browser type, screen resolution and your internet provider. Further data may include contact details, any ratings, sharing content via social media and your favourites on YouTube.

If you are not signed in to a Google or YouTube account, Google stores data with a unique identifier which is linked to your device, browser or app. For example, your preferred language setting is saved. However, a lot of the interaction data cannot be saved because fewer cookies are stored.

How long and where will the data be stored?

The data which YouTube receives and processes about you is stored on Google's servers. Most of these servers are located in the United States. You can see exactly where the Google data centres are located at https://www.google.com/about/datacenters/inside/locations/?hl=en. Your data is distributed on the servers. This means that the data can be accessed more quickly and is better protected against manipulation.

Google stores the data collected for different lengths of time. You can erase some of the data at any time, while other data is automatically erased after a limited period of time, and some is saved by Google for a longer period of time. Some data (such as items in “My Activity”, photos, documents and products) saved in your Google Account will be saved until you erase them. Even if you are not signed in to a Google Account, you can erase some data associated with your device, browser or app.

How can I erase my data or prevent data storage?

You can usually erase data in the Google account manually. The automatic erasure function for location and activity data introduced in 2019 erases data following an optional storage period of either 3 or 18 months.

You can configure your browser so that Google erases or deactivates cookies, regardless of whether you have a Google account. This works in different ways, depending on which browser you are using.

If you generally do not want cookies, you can set up your browser so that it always informs you when a cookie is saved. This allows you to decide whether to permit each individual cookie. As YouTube is a subsidiary of Google, there is a shared Privacy Policy. If you want to find out more about how they handle your data, we recommend reading the Privacy Policy at https://policies.google.com/privacy?hl=de.

Facebook and WhatsApp

Our website has buttons with links to Facebook and WhatsApp. The provider is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2 Ireland. You can identify the buttons by the Facebook and WhatsApp logos.

The buttons enable you to easily share vzbv.de content with other Facebook and WhatsApp users Data protection-friendly programmed solution “Shariff”. This means: your user data (your IP address, information about your internet usage habits) is not transferred to Facebook until you have clicked one of the buttons to share vzbz.de content on Facebook or by WhatsApp.

If you click a Facebook or WhatsApp button while you are logged into your Facebook account, Facebook can also link your website visit to your user account. Kindly take note that as provider of this website, we do not receive any information from Facebook about the data transferred or its use by Facebook. You must sign out of your Facebook account before visiting our website if you do not want Facebook to associate the data collected on our website with your Facebook account. You must also refrain from clicking the Facebook and WhatsApp buttons if you wish to prevent the transfer of data to Facebook completely. The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your related rights and setting options to protect your privacy, can be found in Facebook’s Data Policy (https://www.facebook.com/policy.php) and Whatsapp’s Privacy Policy (https://www.whatsapp.com/legal/privacy-policy-eea).

IX. Rights of the data subject

Where your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights in regard to the controller:

1.  Right to information

You have the right to obtain from the controller a confirmation of whether personal data concerning you are processed. Where your data are processed, you may obtain from the controller the following information: (1) the purposes for which the personal data are processed; (2) the categories of personal data that are processed; (3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed; (4) the envisaged period for which the personal data concerning you will be stored and, if specific information in this regard is not available, the criteria for determining this period; (5) the existence of the right to obtain from the controller rectification or erasure of personal data or restriction of processing of personal data or the right to object to processing; (6) the right to lodge a complaint with a supervisory authority; (7) all available information on the origin of the data if the personal data are not collected from the data subject; (8) the existence of automated decision-making, including profiling, referred to in Art. 22 para 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. You have the right to obtain information on whether personal data concerning you is transferred to a third country or to an international organisation. In this regard, you have the right to obtain information concerning the adequate safeguards pursuant to Art. 46 GDPR in regard to the transfer of your data.

2.  Right to rectification

You have the right to obtain from the controller the rectification and/or completion of personal data concerning you insofar as they are inaccurate or incomplete. The controller must carry out rectification without undue delay.

3. Right to restriction of processing

You have the right to obtain restriction of processing of personal data concerning you where the following conditions apply: (1) if the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; (2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (4) you have objected to processing pursuant to Art. 21 para 1 GDPR pending the verification whether the legitimate grounds of the controller override your grounds. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you have obtained restriction of processing pursuant to the above conditions, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (2) you have withdrawn your consent on which the processing is based according to Art. 6 para 1 point a) GDPR or Art. 9 para 2 point a) GDPR and there is no other legal ground for the processing; (3) you object to the processing pursuant to Art. 21 para 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR; (4) the personal data concerning you were unlawfully processed; (5) erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject; (6) the personal data concerning you were collected in relation to the offer of information society services referred to in Art. 8 para 1 GDPR. b) Exceptions The right to erasure shall not apply insofar as processing is necessary (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing according to Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health in accordance with Art. 9 para 2 points h) and i) and Art. 9 para 3 GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para 1 GDPR insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defence of legal claims.

5. Right to notification

Where you have exercised your right to rectification, erasure or restriction of processing towards the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to obtain from the controller information concerning these recipients.

6.  Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para 1 points e) or f) GDPR; this also applies to profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Should you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes. You may exercise your right to object by automated means using technical specifications in the context of the use of information society services, and notwithstanding Directive 2002/58/EC.

7. Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. The withdrawal of your consent does not affect the lawfulness of processing carried out until such time as your consent is withdrawn.

8.  Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The competent data protection supervisory authority for us is: Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219 Visitors’ entrance: Puttkamerstr. 16–18 10969 Berlin mailbox@datenschutz-berlin.de

X. Currency and amendment of this privacy policy

This privacy policy is current as at May 2021. It may become necessary to amend this privacy policy due to the ongoing development of our website and services or in response to changes in legal or official requirements. You may access and print out the most recent privacy policy at any time on the website at https://www.vzbv.de/datenschutzerklaerung.