I. Name and address of the controller
Verbraucherzentrale Bundesverband e.V.
Tel.: +49 (0)30 258 000
Fax: +49 (0)30 2580 0518
Klaus Müller (Executive Director)
II. Contacting the data protection officer
If you have any questions relating to data protection at vzbv, you can contact our data protection officer at any time at the address below:
Datenschutzbeauftragter des Verbraucherzentrale Bundesverbands (vzbv)
(Data protection officer for the Federation of German Consumer Organisations)
III. General information on data processing
1. Scope of personal data processing
It is generally possible to use our website without providing personal data. We process personal data belonging to our users only where this is necessary to provide a functioning website or to deliver our content and services. Personal data will be processed only if users have given their consent or if statutory provisions permit the data to be processed. If personal data (such as name, address or email address) is collected on our website, this will always be done on a voluntary basis. We process this data to fulfil our contractual obligations and to provide services in accordance with Article 6 (1) (b) GDPR. This data will not be disclosed to any third parties without your explicit consent.
2. Legal basis for the processing of personal data
Article 6 (1) (a) GDPR constitutes the legal basis for any processing of personal data for which the consent of the data subject is obtained.
Article 6 (1) (b) GDPR constitutes the legal basis for processing of personal data that is necessary for the performance of a contract or the provision of our services. The same applies for processing activities required to perform steps prior to entering into a contract.
If the processing of personal data is necessary for compliance with a legal obligation to which we are subject,
Article 6 (1) (c) GDPR constitutes the legal basis for processing.
Article 6 (1) (d) GDPR constitutes the legal basis for the processing of personal data that is necessary in order to protect the vital interests of the data subject or of another natural person.
Article 6 (1) (f) GDPR constitutes the legal basis in cases where the processing of personal data is necessary for the purposes of the legitimate interests pursued by us or by a third party and where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
3. Data erasure and duration of storage
The personal data of the data subject is erased or blocked as soon as the purpose for which it was stored no longer applies. Data may also be stored if permitted by European or national lawmakers in European Union regulations, laws or other provisions to which the controller is subject. The data is also blocked or erased if a storage period specified by one of the aforementioned provisions expires, unless there is a need to continue storing the data to perform a contract or in preparation for entering into a contract.
4. Collaboration with processors and third parties
If we transfer data to other persons and companies (processors or third parties) or otherwise grant them access to the data within the scope of our processing, we will do so only on the basis of a legal permission, if you have given your consent, if a legal obligation requires such transfer, for the processing of contractual relationships with you or if we have a legitimate interest in the data transfer (e.g. when using agents, web hosts, etc.). If we engage a third party to process your data on the basis of a data processing contract, the legal basis for this is Article 28 GDPR.
5. Data security
Within our website we use the standard SSL (Secure Socket Layer) technology in combination with the highest level of encryption supported by your browser. This is generally 256-bit encryption. If your browser doesn’t support 256-bit encryption, we use 128-bit v3 technology instead. The key or lock symbol in the status bar at the bottom of your browser screen shows whether an individual page on our website is being transmitted in encrypted form. We also take appropriate technical and organisational security precautions to protect your data against accidental or deliberate manipulation, access by unauthorized persons, destruction, or complete or partial loss. We improve our security measures on an ongoing basis to keep pace with technological advances.
6. Social media profiles
We operate vzbv profiles on social networks and platforms so that we can communicate with users and interested parties who use these platforms, and inform them about the work we do. The terms and conditions and data processing policies of the relevant operators apply when accessing these networks and platforms.
IV. Provision of the website and creation of log files
Scope of personal data processing
When you access our website at europa-kann-mehr.de or europa-kann-mehr.eu information is automatically communicated to our website servers by the web browser used on your end device. This information is temporarily stored in a log file. The following information will be recorded without any action on your part and stored until it is automatically deleted:
- Browser type and browser version
- Operating system used
- Referrer URL
- IP address of the computer accessing our website
- Time of the server request
We process the above data for the following purposes:
- Ensuring a stable connection to the website
- Making our website easy to navigate
- Evaluating the system security and stability
- Other administrative purposes
Cookies are used on some parts of our website. Cookies are small text files which are generated automatically by your browser and placed on your end device (laptop, tablet, smartphone or similar) each time you visit our website. Cookies do not cause any damage to your end device and do not carry any viruses, Trojans, or other malware. The cookie is used to store information collected about the specific end device you use. However, this does not mean that we obtain information about your identity in this way.
The data processed by cookies is necessary for the specified purposes to protect our legitimate interests and those of third parties in accordance with Article 6 (1) sentence 1 (f) GDPR. .Most browsers accept cookies automatically. By modifying the settings in your browser you can instruct it to inform you about the placement of cookies so that you can decide whether to permit them in a specific instance only, to disable them on a case-by-case basis or generally, or to automatically delete cookies when you close your browser. The functionality of our website may be restricted if you disable cookies. Please note that if you choose to disable cookies completely, some of our website’s functions may be unavailable to you.
You can contact us by email at email@example.com. If you choose to do this, the personal data communicated in the email will be stored. This personal data will not be passed on to third parties. The data will be used exclusively for the purpose of conducting the conversation.
The legal basis for the processing of personal data supplied in connection with email correspondence is Article 6 (1) (f) GDPR. If the purpose of the email contact is to enter into a contract, Article 6 (1) (b) GDPR provides an additional legal basis for the processing.
We process the personal data from the email solely for the purpose of dealing with the initial contact. This also constitutes the necessary legitimate interest in the processing of the data.
The data is erased as soon as it is no longer required for the purpose for which it was collected. For personal data that was sent by email, this is the case when the conversation with the user has ended. The conversation has ended when it is clear from the circumstances that the matter concerned has been resolved.
Users may withdraw their consent to the processing of their personal data at any time. Users can revoke their consent to the storage of their personal data at any time by emailing us at (firstname.lastname@example.org). In this event, we will be unable to continue our correspondence with you and any personal data stored in connection with your correspondence will be erased.
We send newsletters, emails and other electronic communications containing promotional information (‘newsletters’) only with the consent of the recipient or if we have statutory permission. If the content of the newsletter is specifically described when the user subscribes to the newsletter, this content determines the scope of the user’s consent. In other respects our newsletters contain information on consumer-policy issues and other relevant matters similar to the content of this website.
Double opt-in and logging
Subscriptions to the newsletter are logged so that we have a record of the subscription process, as required by law. Data stored includes the time of subscription and confirmation, as well as the IP address. Any changes to your details stored by the email marketing service provider are also logged.
Use of the email marketing service provider ‘Inxmail’
The newsletters are sent by Inxmail GmbH, Wentzingerstrasse 17, 79106 Freiburg.
The email addresses of our newsletter subscribers are stored on Inxmail’s servers in Germany, together with other data described in this policy. Inxmail uses this information on our behalf to send out the newsletters and for analysis. Inxmail may also use this data to optimise or improve its own services, e.g. to optimise the sending process and the way in which the newsletters are displayed, or for commercial purposes, in order to determine which countries the subscribers come from. Inxmail does not use the data of our newsletter subscribers in order to contact them itself, nor does it pass this data on to third parties. We trust Inxmail’s reliability and its IT and data security, and have entered into a data processing agreement with Inxmail. Inxmail operates in compliance with the EU’s General Data Protection Regulation.
The only data you need to provide in order to subscribe to the newsletter is your email address.
We also ask for your first and last name, but this is optional, and will be used only to personalise the newsletter. We also ask for other information, which is also optional. We use this information purely for the purpose of tailoring the content of the newsletters to the interests of our readers.
Collection and analysis of statistical information
The newsletters contain a ‘web beacon’, i.e. a pixel-sized file that is downloaded from the server of Inxmail GmbH when the newsletter is opened. This file collects technical information such as data about your browser and your system, your IP address and the time the newsletter was opened. This enables Inxmail to optimise the services based on the technical data or on the target groups and their reading habits. The statistical information collected also includes establishing whether the newsletters were opened, when they were opened and what links were clicked on. This information is stored in anonymised form and is not associated with individual newsletter recipients. The purpose of the analysis is to identify the reading habits of our users so that we can tailor the newsletter content to them.
Online access and data management
Sometimes we direct newsletter recipients to Inxmail’s website. For example, our newsletters contain a link that newsletter recipients can use to access the newsletters online (e.g. if content does not display properly in the email program).
Cancellation/withdrawal of consent
You can stop receiving our newsletters at any time i.e. withdraw your consent. At the end of each newsletter there is an ‘unsubscribe’ link. This will revoke your consent to receiving the newsletter from Inxmail and to the statistical analysis of your data. Unfortunately it is not possible to revoke consent to receiving the newsletter from Inxmail or to the statistical analysis separately. Alternatively you can also unsubscribe via this website.
Legal bases of the General Data Protection Regulation
In accordance with the provisions of the General Data Protection Regulation (GDPR) that came into effect on 25 May 2018, we are informing you that the legal basis for the consent to the sending of emails is Article 6 (1) (a) and Article 7 GDPR and section 7 (2) no. 3 and/or (3) of the German Act Against Unfair Competition (UWG). The use of the email marketing service provider Inxmail, the collection and analysis of statistical information and the logging of the subscription process are carried out on the basis of our legitimate interest pursuant to Article 6 (1) (f) GDPR. Our interest lies in the provision of a user-friendly and secure newsletter system that meets our commercial interests and the expectations of our users. The data is erased as soon as it is no longer required for the purpose for which it was collected. The email address of the user will be stored for as long as the subscription to the newsletter remains active.
We would also point out that you can withdraw consent to the future processing of your personal data at any time in accordance with the provisions of Article 21 GDPR. Consent may be withdrawn in particular to the processing of data for the purposes of direct marketing.
VIII. Tracking tools
We carry out the tracking activities described below on the basis of Article 6 (1) sentence 1 (f) GDPR. We use these tracking activities in order to optimise our website and tailor its content to the needs of our users. We also use them to enable the collection of statistical data concerning the use of our website and the analysis of this data for the purpose of optimising the services and information we provide for you. These interests are legitimate within the meaning of the aforementioned provision. Please refer to the individual tracking tools for further information on the categories of data collected and the purposes for which it is processed.
This website uses the open source web analysis service Matomo. Matomo enables us to analyse user movements on europa-kann-mehr.de or europa-kann-mehr.eu in a privacy-compliant manner for the purposes of improving our offering. Matomo does not place cookies on the user’s computer. Instead, it uses ‘fingerprinting’ – a technique that uses pseudonymised IP addresses in combination with the user’s browser settings to track user movements on europa-kann-mehr.de or europa-kann-mehr.eu. Visits and requests for individual pages on europa-kann-mehr.de or europa-kann-mehr.eu can be logged, but the information cannot be linked to the identity of individual users.
If you wish to prevent your visits to our website being logged, you have the option to activate the Do Not Track function in your browser. This then applies both to europa-kann-mehr.de and europa-kann-mehr.eu and to other websites you visit.
You can also prevent this website from logging your visits by means of the opt-out methods described below. Please note that these options require a cookie to be stored on your system:
IX. Social media plugins (Like buttons and similar)
The pages on this website feature plugins from various social media platforms which enable content to be shared via these networks. The legal basis for this is Article 6 (1) sentence 1 (f) GDPR. The underlying business purpose is regarded as a legitimate interest within the meaning of the GDPR. To ensure that the plugins are compatible with our ideas of data protection and privacy, we use the ‘Shariff’ solution developed by heise-online, which prevents the data from being transferred to these networks as soon as the page is accessed. On our website, the plugins do not transfer user data to social networks until the user has granted consent. Consent is granted when the user activates the ‘share’ function by clicking on one of the network buttons.
Facebook plugins (Like button)
X. vzbv events
1. Scope and purpose of personal data processing Registration for vzbv events is always voluntary. Interested persons can register by emailing the relevant team at the address given in the invitation. We need your title, first name, last name and institution/job title for the registration process. This data is deleted once the event has ended.
We use your data for the following purposes:
(1) For the organisation, delivery and management of the event.
(2) To facilitate networking between the participants by giving out name badges (title, first name, last name and institution/company) and providing attendance lists. The attendance list also contains the titles, first names, last names and institutions/companies of the participants. Providing information for this purpose is voluntary. If there is an attendance list for the event, you can choose whether to agree to your inclusion on the list when you register.
(3) To prove that we are allowed to process your data and to send you information about the event by email.
(4) For documentation purposes, including photographs and videos, which may also be used by vzbv for publicity.
2. Legal basis for the processing of personal data
Re (1): The legal basis for processing data for the organisation, delivery and management of the event is Article 6 (1) (f) GDPR.
Re (2): The legal basis for processing data to enable participants to network is Article 6 (1) (a) GDPR.
Re (4): The legal basis for taking photos and videos and for their subsequent processing is section 23 (1) no. 3 of the German law governing copyright of works of fine art and photography (KunstUrhG).
3. Recipients of your data Your data can be accessed by members of the Communication Team at vzbv and by the vzbv team that organises and delivers the event. The IT administrators also have access to the data so far as is necessary for technical purposes. Your name and the name of your institution will also be made available to the other participants for networking purposes, provided that you consented to such use when you registered and so far as there is an attendance list. Photographs and videos that are published or otherwise processed for documentation or publicity purposes may be publicly available.
All data processing is carried out exclusively in Europe, whether by us or on our behalf.
XI. Rights of the data subject
If your personal data is processed, you are the data subject as defined by GDPR and you have the following rights vis-à-vis the controller:
1. Right of access You have the right to obtain from the controller confirmation as to whether or not we are processing personal data concerning you. If we are processing such information, you have the right to demand that the controller provides you with the following information:
(1) The purposes of the processing.
(2) The categories of personal data concerned.
(3) The recipients or categories of recipient to whom the personal data has been or will be disclosed.
(4) The envisaged period for which the personal data will be stored, or, if it is not possible to provide this specific information, the criteria used to determine that period.
(5) The existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of personal data concerning you or to object to such processing.
(6) The right to lodge a complaint with a supervisory authority.
(7) Where the personal data is not collected from the data subject, any available information as to its source.
(8) The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You also have the right to be informed whether your personal data is being transferred to a third country or an international organisation. In this context you can demand to be informed about the guarantees pursuant to Article 46 GDPR in connection with the transfer of data.
2. Right to rectification
You have a right to obtain from the controller rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data. The controller must rectify the data without undue delay.
3. Right to restrict processing
You have the right to demand that the processing of your personal data be restricted if one of the following applies:
(1) You contest the accuracy of your personal data, whereby the restriction applies for a period enabling the controller to verify the accuracy of the personal data.
(2) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead.
(3) The controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims.
(4) You have objected to the processing in accordance with Article 21 (1) GDPR, pending verification of whether the legitimate grounds of the controller override yours.
Where the processing of your personal data has been restricted, such data may, with the exception of its storage, be processed only with your consent or for the purpose of establishing, exercising or defending claims or to protect rights of another individual or legal entity or for reasons of an important public interest of the European Union or one of its Member States. If the restriction on processing is restricted in accordance with the aforementioned conditions, the controller will inform you before the restriction is lifted.
4. Right to erasure
a) Duty to erase
You have the right to demand from the controller that your personal data be erased without undue delay and the controller is obliged to erase this data without undue delay provided that one of the following grounds applies:
(1) The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) You revoke the consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing.
(3) You object to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Article 21 (2) GDPR.
(4) Your personal data has been unlawfully processed.
(5) Your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) Your personal data has been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
The right to erasure does not apply if the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to notification
If you have exercised a right to rectification or erasure of personal data, or restriction of processing, against the controller, the controller must communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
The controller must also inform you about those recipients if you request it.
6. Right to object You have the right to object to the processing of personal data concerning you at any time on grounds relating to your particular situation, where the legal basis for such processing is point e or f of Article 6 (1) GDPR; this also applies to profiling based on those provisions.
The controller will then no longer process your personal data unless it can demonstrate compelling legitimate grounds for processing the data which override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims.
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing. This also applies to profiling, to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for this purpose.
In relation to the use of information society services, you may exercise your right to object by means of automated processes based on technical specifications, notwithstanding the provisions of Directive 2002/58/EC.
7. Right to withdraw consent to data processing
You have the right to withdraw your consent to the processing of your data at any time. If consent to the processing is withdrawn, this will not affect the legality of processing activities performed prior to the withdrawal of consent.
8. Right to lodge a complaint with a supervisory authority
If you believe that the processing of your personal data contravenes the provisions of GDPR, you have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, especially in the Member State in which your place of residence, your work place or the place of the alleged contravention is located.
The supervisory authority with which the complaint has been lodged will inform the complainant about the status and outcome of the complaint, including the possibility of pursuing a judicial remedy in accordance with Article 78 GDPR. The supervisory authority for vzbv is:
Berlin Commissioner for Data Protection and Freedom of Information
Puttkamerstrasse 16 – 18