Privacy Policy

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and this privacy policy, which informs you about the most important aspects of data processing in connection with our website.

I. Name and address of the controller

Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations)

Rudi-Dutschke-Strasse 17

10969 Berlin

Phone: +49 30 25800-0

Fax: +49 30 25800-518

info@vzbv.de

represented by

Klaus Müller (Executive Director)

II. Contacting the data protection officer

In the event that you have questions concerning data protection at the Federation of German Consumer Organisations, you may contact our data protection officer at any time using the following contact details

Datenschutzbeauftragter des Verbraucherzentrale Bundesverbands (vzbv)

Rudi-Dutschke-Strasse 17

10969 Berlin

datenschutzbeauftragter@vzbv.de

III. General remarks concerning data protection
1. Scope in which personal data is processed

Our website can generally be used without providing personal data. As a matter of principle, we only process personal data of our users where this is necessary for the provision of a functional website as well as our contents and services.

2. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, the legal basis is Art. 6 para. 1 point a) EU General Data Protection Regulation (GDPR).

The legal basis for the processing of personal data for the performance of a contract or fulfilment of our services is Art. 6 para. 1 point b) GDPR. This applies also to processing that is carried out to take steps prior to entering into a contract.

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 para. 1 point d) GDPR.

We set out the relevant legal basis for the processing of personal data in each of the processing operations described below.

3. Data erasure and duration of storage

The personal data of the data subject will be erased or blocked as soon as the purpose of their storage no longer applies. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless continued storage of the data is necessary to enter into a contract or for the performance of a contract.

The erasure period will be specified in connection with processing operations to which an erasure period applies.

4.  Cooperation with processors and third parties

In the event that we transfer data to other persons and enterprises (processors or third parties) or otherwise grant them access to the data in connection with our data processing, this shall only take place on the basis of legal permission, your consent, a legal obligation, for the fulfilment of contractual relationships with you or if we have a legitimate interest in the transfer of data (e.g. when using authorised representatives or web hosting providers, etc.). Where we commission third parties with the processing of data within the framework of a “Data Processing Agreement”, this shall take place on the basis of Art. 28 GDPR.

5. Data security

We use the common SSL technology (Secure Socket Layer) on our website in connection with the highest encryption level supported by your browser in each case. This is usually 256-bit encryption. We revert to 128-bit v3 technology in the event that your browser does not support 256-bit encryption. You can tell whether a page on our internet presence is transferred in an encrypted form by the presence of a key or padlock symbol in the lower status bar of your browser. We otherwise implement suitable technical and organisational security measures to protect your data against coincidental or wilful manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are improved continuously in line with the state of the art.

6. Profiles on social media

It has been established by the highest courts that the operators of profiles, also association profiles, in social media are jointly responsible with the network operator for data processing in connection with these profiles.

We operate association profiles on social networks and platforms to communicate with interested persons and users who are active there and to inform them about our services. The privacy policies issued by the respective operators of the social networks and platforms apply when their services are accessed.

Except where otherwise stated in our privacy policy, we process the data of users insofar as they communicate with us on the social networks and platforms, i.e. they post comments on our internet presences or send us messages.

IV. Provision of the website and creation of log files
Scope in which personal data is processed

The browser used on your device automatically sends information to our website servers when you access our website at www.vzbv.de. This information is temporarily stored in a log file. The following information is collected without your involvement, stored and erased after 14 days, in special cases such as error notifications and warnings after 8 weeks at most:

  • browser type and version
  • operating system
  • referrer URL
  • IP address of the accessing computer
  • time of the server request

These data are processed by us for the following purposes:

  • to ensure the establishment of a smooth connection to the website;
  • to ensure convenient use of our website;
  • to evaluate system security and stability;
  • to prevent possible criminal offences; and
  • for other administrative purposes.

The legal basis for this data processing is Art. 6 para. 1 sentence 1 point f) GDPR. The purposes of data processing listed in the foregoing constitute our legitimate interests. On no accounts do we use the collected data for the purpose of drawing conclusions about you personally. We also use cookies and analysis services when you visit our website. For more information in this regard, please refer to sections V and VIII of this privacy policy.

V. Use of cookies

Cookies are used in some instances on these internet pages. They are small text files that are generated automatically by your browser and are stored on your device (laptop, tablet, smartphone and similar) when you visit one of our pages. Cookies do not harm your device and do not contain viruses, Trojans or other forms of malware. Information is placed in the cookie that relates to your specific device in each case. This does not mean, however, that we obtain direct knowledge of your identity.

Cookies are used firstly to make using our services more pleasant for you. For instance, we use session cookies to detect that you have already visited pages of our website. They are deleted automatically when you leave our page and after 24 hours. We also use temporary cookies to optimise ease of use; they are stored on your device for a defined period.

By contrast, we do not use tracking cookies to log and analyse the movements of users and the internet usage habits of visitors. Section VIII of this privacy policy provides you with detailed information on our analysis methods.

The data processed by the cookies are necessary for the protection of our legitimate interest and the legitimate interest of third parties according to Art. 6 para. 1 sentence 1 point f) GDPR. Most browsers automatically accept cookies. You may adjust your browser settings so that you are notified when cookies are placed and either allow cookies only in individual cases, allow cookies only for certain cases or disable them altogether; you may also enable automatic deletion of cookies when closing the browser. The functions of this website may be restricted if you disable cookies. You may be unable to use all functions of our website if you disable cookies altogether.

VI. Email contact

You may contact us at the email address provided, namely info@vzbv.de. The user’s personal data that are transferred with the email will be stored in this case. The data will not be transferred to third parties when you contact us by email. The data will be used exclusively to process the conversation.

The legal basis for the processing of data that are transferred in connection with email communication is Art. 6 para. 1 point f) GDPR. Where the purpose of the email contact is the conclusion or performance of a contract, Art. 6 para. 1 point b) shall be the additional legal basis for processing.

Personal data from the email are processed solely to manage our contact with you. This represents our legitimate interest in the processing of data.

The data are erased as soon as the purpose for which they were collected no longer applies. This is the case in regard to the personal data that are sent by email when the specific conversation with the user is over. The conversation is deemed to be over when the circumstances indicate clearly that the matter in question has been clarified conclusively.

Users that make contact with us by email (e.g. datenschutzbeauftragter@vzbv.de) may object to the processing of their personal data at any time. We will be unable to continue the conversation in these cases. All personal data stored in connection with this establishment of contact will then be erased.

VII. Tracking tools (in this regard, refer also to: V. Use of cookies)

The tracking measures listed below and used by us are carried out on the basis of Art. 6 para 1 sentence 1 point f) GDPR. We use these tracking measures to ensure needs-based and continuous optimisation of our website. The purpose of the tracking measures is also to collect statistical data concerning the use of our website and to analyse these data in order to optimise our services for you. These interests must be considered legitimate according to the above regulation; no other purposes exist. The specific purposes of data processing and data categories are listed in the descriptions of the tracking tools.

Matomo

This website uses the open source web analytics service Matomo. Matomo enables us to evaluate user movements on vzbv.de for the purpose of improving our services in a manner that is compliant with data protection regulations. For this purpose, Matomo does not place cookies on the user’s computer. Instead it uses “fingerprinting” technology, which logs user movements on vzbv.de by means of pseudonymised IP addresses combined with the user’s browser settings. This technology enables the logging of visits and individual page views on vzbv.de, but does not permit any conclusions to be drawn about the identity of individual users. You can enable the Do-Not-Track function in your browser if you do not want your page views to be logged at all. Doing so is effective on vzbv.de and on all other pages visited by you.

You can also prevent logging of your page views on this website by using the following opt-out option. Kindly take note that a cookie will be placed on your system if you enable this option:

VIII. Use of social media

(1) We have accounts on different social media platforms. We operate accounts at the following providers:

  • Twitter: Twitter Inc., One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, https://twitter.com/de/privacy
  • YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, : https://policies.google.com/technologies/product-privacy and https://policies.google.com/privacy.

(2) We use the technical platform and services of the providers for these information services. Please note that you use our services on social media platforms and their features at your own risk. This applies in particular to the use of interactive features (e.g. commenting, sharing, rating). When you visit our accounts, the providers of the social media platforms collect, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as the operator of the accounts, with statistical information about your interaction with us.

(3) The data collected about you in this context is processed by the platforms and may be transferred to countries outside the European Union, in particular the USA. According to their own statements, all of the aforementioned providers maintain an adequate level of data protection that conforms to that of the former EU-US Privacy Shield. We are not aware of how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long these data are stored and whether data are passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or are visiting the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your device is transmitted to the provider of the social media platform. If you are currently logged in as a user, a cookie on your device can be used to track how you have navigated the network. Buttons embedded in websites enable the platforms to record your visits to these website pages and associate them with your respective profile. These data can be used to target content or advertising specifically to you. If you want to avoid this, you should log out or disable the “stay logged in” option, delete the cookies on your device and restart your browser.

(4) As the provider of the information service, we also only process the data from your use of our service that you provide to us and requires interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing, as described in this Privacy Policy. The legal basis for processing your data on the social media platform is Art. 6 para. 1 sentence 1 point f) GDPR.

(5) To exercise your rights as a data subject, you can contact both us or the provider of the social media platform. If one party is not responsible for responding or must receive the information from the other party, we or the provider will then forward your request to the respective partner. Please contact the operator of the social media platform directly for any questions about profiling or processing of your data when using the website. For questions about the processing of your interaction with us on our page, write to us using the contact details we have provided above.

(6) The providers describe what information the social media platform receives and how it is used in their privacy policies (see link in the table above). You can also find information in them on the options for contacting them as well as on the settings for advertisements. Further information on social networks and how you can protect your data is also available at www.youngdata.de.

Embedding of YouTube videos

(1) In our online services, we have embedded YouTube videos, which are stored at YouTube.com and directly playable from our website. They are embedded in “privacy-enhanced mode”, which means that data about you as a user will not be transferred to YouTube unless you play the videos. When you play the videos, the data referred to in paragraph 2 will be transmitted. We have no influence over this data processing. The legal basis for this data processing is Art. 6 para. 1 sentence 1 point a) GDPR, which means embedding takes place only with your consent.

(2) By visiting our website, YouTube receives information that you have accessed the corresponding sub-page of our website. In addition, the aforementioned basic data such as IP address and time stamp are transmitted. This takes place irrespective of whether YouTube has provided a user account and you are logged in, or whether a user account exists at all. The data will be directly associated with your account if you are logged into Google. You must log out of your account before selecting the button if you do not want the data to be associated with your YouTube profile. YouTube stores your data as a user profile and uses them for the purposes of advertising, market research and/or the audience-based design of its website. This analysis is performed, even for users who are not logged in, specifically to provide audience-based advertising and inform other social network users on your activity on our website. You have the right to object to the creation of this user profile. To exercise this right, you must address your objection to YouTube.

(3) The information collected is stored on Google servers, including in the USA. For these cases, the provider has, according to its own information, imposed a standard on itself that conforms to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws in the international transfer of data. We have also agreed with Google on standard data protection clauses to ensure an appropriate level of data protection in the third country.

(4) For more information about the purpose and scope of processing data collection and their processing by YouTube, please refer to the privacy policy. In that document, you may also obtain further information on your rights and configuration options regarding the protection of your privacy: https://policies.google.com/privacy

Facebook and WhatsApp

Our website has buttons with links to Facebook and WhatsApp. The provider is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland. You can identify the buttons by the Facebook and WhatsApp logos.

The buttons enable you to easily share vzbv.de content with other Facebook and WhatsApp users by means of the “Shariff” solution with its privacy-compliant programming features. This means: your user data (your IP address, information about your Internet usage habits) are not transferred to Facebook until you have clicked on one of the buttons to share vzbz.de content on Facebook or by WhatsApp.

If you click on a Facebook or WhatsApp button while you are logged into your Facebook account, Facebook can also associate the visit to our pages with your user account. Kindly take note that as provider of this website, we do not receive any information from Facebook about the data transferred or its use by Facebook. You must log out of your Facebook account before visiting our website if you do not want Facebook to associate the data collected on our website with your Facebook account. You must also refrain from clicking the Facebook and WhatsApp buttons if you wish to completely prevent the transfer of data to Facebook. The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as your related rights and setting options to protect your privacy, can be found in Facebook’s Data Policy (https://www.facebook.com/policy.php) and WhatsApp’s Privacy Policy (https://www.whatsapp.com/legal/privacy-policy-eea).

IX. Rights of the data subject

Where your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights in regard to the controller:

1.  Right to information

You have the right to obtain from the controller a confirmation of whether personal data concerning you are processed. Where your data are processed, you may obtain from the controller the following information:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the envisaged period for which the personal data concerning you will be stored and, if specific information in this regard is not available, the criteria for determining this period;
(5) the existence of the right to obtain from the controller rectification or erasure of personal data or restriction of processing of personal data or the right to object to processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) all available information on the origin of the data if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 para 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information on whether personal data concerning you is transferred to a third country or to an international organisation. In this regard, you have the right to obtain information concerning the adequate safeguards pursuant to Art. 46 GDPR in regard to the transfer of your data.

2.  Right to rectification

You have the right to obtain from the controller the rectification and/or completion of personal data concerning you insofar as they are inaccurate or incomplete. The controller must carry out rectification without undue delay.

3. Right to restriction of processing

You have the right to obtain restriction of processing of personal data concerning you where the following conditions apply:
(1) if the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
(4) you have objected to processing pursuant to Art. 21 para 1 GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you have obtained restriction of processing pursuant to the above conditions, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you have withdrawn your consent on which the processing is based according to Art. 6 para 1 point a) GDPR or Art. 9 para 2 point a) GDPR and there is no other legal ground for the processing;
(3) you object to the processing pursuant to Art. 21 para 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR;
(4) the personal data concerning you were unlawfully processed;
(5) erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) the personal data concerning you were collected in relation to the offer of information society services referred to in Art. 8 para 1 GDPR.

b) Exceptions
The right to erasure shall not apply insofar as processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing according to Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para 2 points h) and i) and Art. 9 para 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para 1 GDPR insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.

5. Right to notification

Where you have exercised your right to rectification, erasure or restriction of processing towards the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to obtain from the controller information concerning these recipients.

6.  Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para 1 points e) or f) GDPR; this also applies to profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Should you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
You may exercise your right to object by automated means using technical specifications in the context of the use of information society services, and notwithstanding Directive 2002/58/EC.

7. Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. The withdrawal of your consent does not affect the lawfulness of processing carried out until such time as your consent is withdrawn.

8.  Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The competent data protection supervisory authority for us is:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
Visitors’ entrance: Puttkamerstr. 16–18
10969 Berlin
mailbox@datenschutz-berlin.de

X. Currency and amendment of this privacy policy

This privacy policy is current as at May 2021. It may become necessary to amend this privacy policy due to the ongoing development of our website and services or in response to changes in legal or official requirements. You may access and print out the most recent privacy policy at any time on the website at https://www.vzbv.de/datenschutzerklaerung.