Privacy Policy
We are very pleased about your interest in our company. Data protection is of particularly high importance to the management of ecostag GmbH. The use of the internet pages of ecostag GmbH is generally possible without any indication of personal data. However, if a person concerned wishes to use special services of our company via our internet site, the processing of personal data may become necessary. If the processing of personal data is required and there is no legal basis for such processing, we will generally obtain consent from the person concerned.
The processing of personal data, for example, the name, address, email address, or phone number of a person concerned, is always carried out in accordance with the General Data Protection Regulation and in accordance with the applicable national data protection regulations for ecostag GmbH. With this data protection declaration, our company aims to inform the public about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, affected individuals are informed about their rights through this data protection declaration.
ecostag GmbH has implemented numerous technical and organizational measures as the processor responsible, to ensure the maximum possible protection of the personal data processed through this internet site. Nevertheless, internet-based data transmissions may fundamentally have security gaps, so that absolute protection cannot be guaranteed. For this reason, any person concerned is free to transmit personal data to us by alternative means, for example, by telephone.
1. Definitions
The data protection declaration of ecostag GmbH is based on the terminology used by European legislators for the enactment of the General Data Protection Regulation (GDPR). Our data protection declaration is intended to be both accessible and understandable to the public as well as to our customers and business partners. To ensure this, we would like to explain the terms used.
We use, among other terms, the following terms in this data protection declaration:
a) personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as "the person concerned"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
b) person concerned
Person concerned is any identified or identifiable natural person whose personal data is processed by the controller.
c) processing
Processing is any operation or set of operations performed on personal data, whether by automated means or not, such as the collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d) restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
e) profiling
Profiling is any form of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
f) pseudonymization
Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data cannot be attributed to an identified or identifiable natural person.
g) controller or processor
Controller or processor is the natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data, alone or jointly with others. Where the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for its designation may be provided for by Union law or the law of the Member States.
h) processor
Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
i) recipient
Recipient is a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the course of a specific inquiry under Union law or the law of the Member States shall not be regarded as recipients.
j) third party
Third party is a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.
k) consent
Consent is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which the data subject signifies agreement to the processing of personal data relating to them.
2. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation, other applicable data protection laws in the Member States of the European Union, and other provisions with data protection legal character is:
ecostag GmbH
Hafenpromenade 1-2
44263 Dortmund
Germany
Tel.: 023199762910
Email: info@ecostag.com
Website: ecostag.com
3. Collection of general data and information
The website of ecostag GmbH collects a series of general data and information with each access of the Internet site by a person concerned or an automated system. This general data and information are stored in the log files of the server, and may include (1) the types and versions of browsers used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
When using these general data and information, ecostag GmbH does not draw conclusions about the person concerned. Rather, this information is needed to (1) deliver the contents of our website correctly, (2) optimize the contents of our website and the advertising for it, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. These anonymously collected data and information are therefore evaluated by ecostag GmbH statistically and further with the aim of increasing data protection and data security in our company, in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
4. Routine deletion and blocking of personal data
The controller processes and stores personal data of the person concerned only for the time necessary to achieve the purpose of storage or as long as this is provided for by European legislators or another legislator in laws or regulations to which the controller is subject.
If the purpose of storage no longer applies or a storage period prescribed by European legislators or another competent legislator expires, the personal data will be routinely and according to the legal regulations blocked or deleted.
5. Rights of the person concerned
a) Right to confirmation
Every data subject has the right granted by European legislators to request from the controller confirmation as to whether personal data concerning them is processed. If a data subject wishes to exercise this right to confirmation, they may at any time contact an employee of the controller.
b) Right to information
Every person affected by the processing of personal data has the right granted by the European legislator to obtain from the controller free information at any time about the personal data stored concerning them and a copy of this information. Furthermore, the European legislator has granted the data subject the right to information about the following information:
the purposes of processing
the categories of personal data being processed
the recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed, in particular to recipients in third countries or international organizations
if possible, the planned duration for which the personal data will be stored, or, if that is not possible, the criteria for determining that duration
the existence of a right to rectification or erasure of the personal data concerning them or to restriction of processing by the controller or a right to object to such processing
the existence of a right to lodge a complaint with a supervisory authority
if the personal data are not collected from the data subject: all available information about the source of the data
the existence of automated decision-making including profiling according to Article 22 paragraphs 1 and 4 GDPR and — at least in those cases — meaningful information about the logic involved as well as the significance and the intended consequences of such processing for the data subject
Furthermore, the data subject has the right to know whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject has the right to obtain information about the appropriate safeguards in connection with the transfer.
If a data subject wishes to exercise this right to information, they may at any time contact an employee of the controller.
c) Right to rectification
Every person affected by the processing of personal data has the right granted by the European legislator to request the immediate rectification of inaccurate personal data concerning them. Furthermore, the data subject has the right to request the completion of incomplete personal data — also by means of a supplementary statement — taking into account the purposes of the processing.
If a data subject wishes to exercise this right to rectification, they may at any time contact an employee of the controller.
d) Right to deletion (right to be forgotten)
Every person affected by the processing of personal data has the right granted by the European legislator to request from the controller the immediate deletion of personal data concerning them if one of the following reasons applies and as long as the processing is not necessary:
The personal data have been collected for such purposes or processed in any other way, for which they are no longer necessary.
The data subject revokes their consent, on which the processing was based according to Art. 6 paragraph 1 letter a GDPR or Art. 9 paragraph 2 letter a GDPR, and there is no other legal basis for processing.
The data subject lodges an objection to the processing according to Art. 21 paragraph 1 GDPR, and there are no overriding legitimate grounds for processing, or the data subject lodges an objection according to Art. 21 paragraph 2 GDPR.
The personal data have been unlawfully processed.
The deletion of personal data is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
The personal data have been collected in relation to services offered by the information society according to Art. 8 paragraph 1 GDPR.
If one of the above-mentioned reasons applies and a data subject wants to request the deletion of personal data stored at ecostag GmbH, they may at any time contact an employee of the controller. The employee of ecostag GmbH will ensure that the deletion request is complied with without delay.
If personal data has been made public by ecostag GmbH and our company is obliged to delete personal data as the controller according to Art. 17 paragraph 1 GDPR, the ecostag GmbH will take appropriate measures, including technical measures, taking into account available technology and implementation costs, to inform other data controllers processing the published personal data that the data subject has requested the deletion of all links to this personal data or copies or replications of this personal data from those other data controllers, as long as the processing is not necessary. The employee of ecostag GmbH will take the necessary actions on a case-by-case basis.
e) Right to restriction of processing
Every person affected by the processing of personal data has the right granted by the European legislator to request the controller to restrict the processing if one of the following conditions is met:
The accuracy of the personal data is disputed by the data subject for a duration that allows the controller to verify the accuracy of the personal data.
The processing is unlawful, the data subject opposes the deletion of personal data and instead requests the restriction of the use of personal data.
The controller no longer needs the personal data for the purposes of processing, but the data subject needs them to assert, exercise, or defend legal claims.
The data subject has lodged an objection to the processing according to Art. 21 paragraph 1 GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.
If one of the above conditions is met, and a data subject wishes to request the restriction of personal data stored by ecostag GmbH, they may at any time contact an employee of the controller. The employee of ecostag GmbH will initiate the restriction of processing.
f) Right to data portability
Every person affected by the processing of personal data has the right granted by the European legislator to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data has been provided, provided that the processing is based on consent according to Art. 6 paragraph 1 letter a GDPR or Art. 9 paragraph 2 letter a GDPR or on a contract according to Art. 6 paragraph 1 letter b GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, the data subject has the right, in exercising their right to data portability according to Art. 20 paragraph 1 GDPR, to obtain that the personal data are transmitted directly from one controller to another, where this is technically feasible and does not adversely affect the rights and freedoms of others.
To assert the right to data portability, the data subject may contact an employee of ecostag GmbH at any time.
g) Right to object
Every person affected by the processing of personal data has the right granted by the European legislator to object at any time to the processing of personal data concerning them on grounds relating to their particular situation, which is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.
In the event of an objection, ecostag GmbH will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.
If ecostag GmbH processes personal data for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data for the purposes of such advertising. This also applies to profiling, to the extent that it is related to such direct advertising. If the data subject objects to the processing for direct marketing purposes, ecostag GmbH will no longer process the personal data for these purposes.
Moreover, the data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, which occurs at ecostag GmbH for scientific or historical research purposes or for statistical purposes according to Article 89 paragraph 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
To exercise the right to object, the data subject can directly contact any employee of ecostag GmbH or another employee. The data subject is also free to exercise their right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, through automated procedures using technical specifications.
h) Automated decisions in individual cases including profiling
Every person affected by the processing of personal data has the right granted by the European legislator not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects or similarly significantly affects them, unless the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is permitted by Union or Member State law to which the controller is subject, and that law provides for appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, or (3) is based on the explicit consent of the data subject.
If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller or (2) is made with the explicit consent of the data subject, ecostag GmbH will take appropriate measures to protect the rights and freedoms and the legitimate interests of the data subject, which will include at least the right to obtain human intervention on the part of the controller, to express their point of view, and to contest the decision.
If the data subject wishes to assert rights regarding automated decisions, they may contact an employee of the controller at any time.
i) Right to withdraw consent to data processing
Every person affected by the processing of personal data has the right granted by the European legislator to withdraw consent to the processing of personal data at any time.
If the data subject wishes to assert their right to withdraw consent, they may contact an employee of the controller at any time.
6. Data protection in applications and the application process
The processor collects and processes the personal data of applicants for the purpose of managing the application process. The processing may also occur electronically. This is particularly the case when an applicant submits corresponding application documents electronically, for example by email or via a web form located on the Internet site, to the processor. If the processor concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of executing the employment relationship in compliance with legal regulations. If the processor does not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after notification of the rejection decision, unless other legitimate interests of the controller oppose deletion. Other legitimate interests in this sense may be, for example, an obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).
7. Legal basis for processing
Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as is the case for processing operations necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are required to carry out pre-contractual measures, such as in the case of inquiries regarding our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as to comply with tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, processing of personal data may be necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured in our company and subsequently their name, age, health insurance data, or other vital information needed to be disclosed to a doctor, hospital, or other third parties. In this case, the processing would be based on Art. 6 I lit. d GDPR. Ultimately, processing operations may be based on Art. 6 I lit. f GDPR. This legal basis applies to processing operations that are not covered by any of the aforementioned legal bases, if the processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests. Such processing operations are particularly permissible, as they were specifically mentioned by the European legislator. They took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 sentence 2 GDPR).
8. Legitimate interests in processing pursued by the controller or a third party
If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is to carry out our business activities for the benefit of the well-being of all our employees and our shareholders.
9. Duration for which personal data will be stored
The criterion for the duration of storage of personal data is the respective statutory retention period. Once the retention period has expired, the corresponding data will routinely be deleted, as long as they are no longer necessary for the fulfillment of the contract or for the initiation of a contract.
10. Legal or contractual provisions for the provision of personal data; Necessity for the conclusion of the contract; Obligation of the data subject to provide personal data; possible consequences of non-provision
We would like to inform you that the provision of personal data is partly required by law (e.g., tax regulations) or may arise from contractual regulations (e.g., information about the contracting party). It may sometimes be necessary for a contract to be concluded that a data subject provides us with personal data that will subsequently need to be processed by us. The data subject is obliged to provide us with personal data when our company concludes a contract with them. Failure to provide the personal data would result in the contract with the affected party not being able to be concluded. Before a data subject provides personal data, the data subject must contact one of our employees. Our employee will clarify on a case-by-case basis whether the provision of personal data is required by law or contract, whether there is an obligation to provide personal data, and what consequences the non-provision of personal data would have.
11. Existence of automated decision-making
As a responsible company, we refrain from automated decision-making or profiling.
This data protection declaration was created by the data protection declaration generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which operates as External Data Protection Officer Oberpfalz in cooperation with lawyer for data protection Christian Solmecke.